USB Device Tracking: How Forensic Examiners Prove Data Theft

USB Device Tracking: How Forensic Examiners Prove Data Theft

One of the most common methods employees use to steal proprietary data is deceptively simple: they plug in a USB flash drive, copy the files they want, and walk out the door. Many assume that once the drive is disconnected, there is no trace of what happened. That assumption is completely wrong. Windows computers maintain extensive forensic artifacts that record every USB device that has ever been connected, when it was connected, and in many cases what files were accessed during that session.

For attorneys handling trade secret misappropriation, non-compete violations, and corporate espionage cases, USB forensic evidence can be the smoking gun that proves data theft occurred and identifies exactly when it happened.

What Windows Records About USB Devices

Every time a USB storage device is connected to a Windows computer, the operating system creates multiple registry entries and log records that persist long after the device is removed. The Windows Registry stores the device's manufacturer, product name, serial number, and the drive letter it was assigned. The SYSTEM and SOFTWARE registry hives contain timestamps showing the first time and last time the device was connected. SetupAPI logs record the exact date and time the device driver was installed, which corresponds to the first connection.

Windows Event Logs provide additional corroboration. Event IDs related to removable storage capture connection and disconnection events with timestamps. The Windows Security Event Log, if auditing is enabled, can record file access events showing which files were opened, copied, or modified while the USB device was connected. And the user's NTUSER.DAT registry hive records recent file access through the RecentDocs and MountPoints2 keys, linking specific user accounts to specific USB devices.

Building the Forensic Timeline

A skilled forensic examiner correlates these multiple artifact sources to construct a detailed timeline of USB activity. For example, the investigation might reveal that an employee connected a 64GB SanDisk USB drive to their company laptop at 11:47 PM on a Tuesday — three days before submitting their resignation. The file system timestamps show that 847 files were accessed from the company's confidential project folder between 11:47 PM and 1:23 AM. The USB device was disconnected at 1:24 AM. The same serial number appears again on the employee's last day, connected for 45 minutes during lunch.

This kind of timestamped, multi-source evidence creates a narrative that is extremely difficult for the opposing party to refute. The data comes from the operating system itself, generated automatically without human intervention, and the serial number uniquely identifies the specific device that was used.

Identifying What Was Taken

Proving that a USB device was connected is only half the battle. Attorneys need to show what data was actually copied. Several forensic artifacts help answer this question. Windows Shellbags record which folders a user browsed through in File Explorer, including folders on removable devices. Jump Lists maintain records of recently accessed files associated with specific applications. Link files, also known as LNK files, are automatically created when a user opens a file and contain the original file path, including the drive letter of the USB device.

In cases where the employee's computer has not been reimaged, the forensic examiner may also find remnants of the copied files in the file system's Master File Table, Windows Prefetch records showing which applications were used to access the files, and even thumbnail cache entries that preserve small preview images of documents and photos that were viewed or copied.

Countering Common Defenses

Employees accused of USB data theft typically raise several defenses. They may claim the USB connection was for innocent purposes such as charging a phone, that someone else used their computer, or that they were authorized to access the files. Forensic evidence can address each of these claims. A phone charging via USB does not generate the same registry artifacts as a storage device. User login records and active directory timestamps can confirm who was logged into the computer during the USB connection. And file access patterns showing late-night bulk copying of confidential folders are inconsistent with normal authorized work activity.

Preserving USB Forensic Evidence

The single most important step in preserving USB forensic evidence is creating a forensic image of the employee's computer before IT reimages or reassigns it. Once the hard drive is wiped, all registry entries, event logs, shellbags, link files, and file system artifacts are permanently destroyed. Attorneys should instruct their clients to immediately secure any computer used by an employee suspected of data theft and contact a forensic examiner before any changes are made to the system.

Contact CFSI for USB Forensic Investigations

Computer Forensic Services, Inc. has extensive experience investigating USB-based data exfiltration in trade secret, non-compete, and corporate espionage cases. Our forensic analysis has supported successful TRO applications, preliminary injunctions, and trial testimony across Texas and nationwide. Contact us at (214) 306-6470 or email info@cfsiusa.com for a confidential consultation about your case.

This article was prepared by Computer Forensic Services, Inc. (CFSI) with AI-assisted research and drafting. All content has been reviewed for accuracy by CFSI’s certified forensic examiners.