F-Response and USB Detective
Apr 29, 2024
It should come as no surprise that we love finding new and interesting analysis tools. Finding investigative software that works well over F-Response is a passion of ours.
Recently, a customer reached out and asked us if USB Detective worked over an F-Response collection. Truthfully, we didn't know. So, we reached out to Jason and the team at USB Detective and asked. After a phone call and a couple of emails, we had a fully functional trial version to spin up and test in our lab.
TLDR; Yes, it works just fine.
Any of the Classic versions of F-Response (TACTICAL, Consultant, Consultant + Covert, and Enterprise), as well as Universal, work fine with USB Detective. Simply attach the device (volume) from the remote machine and point USB Detective at the Windows mounted drive letter. The tool takes over from there and reads through the files to gather valuable information, including:
- Processes USB device artifacts from Windows XP through Windows 11
- Support for live system, individual files/folders, and logical drive processing
- Processes multiple versions of all accepted artifacts
- Source of every identified value preserved for later reporting and documentation
- Leverage the latest changes in Windows to obtain even more device information
- Visually represented timestamp consistency levels
- Dozens of sources queried for USB device information
- Automatically correlates LNK file and jump list records to show opened/accessed files on USB devices
- Processes shellbags to reveal directory interactions and creations on removable media
It's a great tool with good people behind it. We're glad it works with F-Response and recommend checking it out for all your USB device investigation needs.
Tell them F-Response sent you!
Thanks for reading.
Warmest Regards,
M Shannon