Copy the page URI to the clipboard
Collie, Jan
(2013).
DOI: https://doi.org/10.1016/j.diin.2013.01.006
Abstract
This paper investigates the evidential potential of the IconCache database file when tracking activity from USB connectable devices on Windows systems. It focuses on the artifacts which are created and retained on a Windows host when executable files are either present on or run from a USB connectable device. Artifacts left in the IconCache database as a result of running executables from a DVD drive or the host itself, are also examined.
It is shown that the IconCache.db stores numerous artifacts of investigative interest. These are created on system boot and added to, both when using host-based executables and when installing or using executables from other media. Executables present on USB devices, whether invoked or not, will create artifacts in the IconCache.db. file. Findings should therefore be interpreted carefully and corroborated against other evidence.
Viewing alternatives
Metrics
Public Attention
Altmetrics from AltmetricNumber of Citations
Citations from DimensionsItem Actions
Export
About
- Item ORO ID
- 70045
- Item Type
- Journal Item
- ISSN
- 1742-2876
- Keywords
- IconCache.db; USB drives; USB forensics; forensic artifacts; forensic analysis
- Academic Unit or School
-
Faculty of Science, Technology, Engineering and Mathematics (STEM) > Computing and Communications
Faculty of Science, Technology, Engineering and Mathematics (STEM) - Copyright Holders
- © 2013 Elsevier Ltd.
- Related URLs
- Depositing User
- Jan Collie