The windows IconCache.db: A resource for forensic artifacts from USB connectable devices

Collie, Jan (2013). The windows IconCache.db: A resource for forensic artifacts from USB connectable devices. Digital Investigation, 9(3-4) pp. 200–210.

DOI: https://doi.org/10.1016/j.diin.2013.01.006

Abstract

This paper investigates the evidential potential of the IconCache database file when tracking activity from USB connectable devices on Windows systems. It focuses on the artifacts which are created and retained on a Windows host when executable files are either present on or run from a USB connectable device. Artifacts left in the IconCache database as a result of running executables from a DVD drive or the host itself, are also examined.

It is shown that the IconCache.db stores numerous artifacts of investigative interest. These are created on system boot and added to, both when using host-based executables and when installing or using executables from other media. Executables present on USB devices, whether invoked or not, will create artifacts in the IconCache.db. file. Findings should therefore be interpreted carefully and corroborated against other evidence.

Viewing alternatives

Metrics

Item Actions

Export

You can export this page using these formats Digital Object Identifier - DOI

About

• Item ORO ID
• 70045
• Item Type
• Journal Item
• ISSN
• 1742-2876
• Keywords
• IconCache.db; USB drives; USB forensics; forensic artifacts; forensic analysis
• Academic Unit or School
• Faculty of Science, Technology, Engineering and Mathematics (STEM) > Computing and Communications
  Faculty of Science, Technology, Engineering and Mathematics (STEM)
• Copyright Holders
• © 2013 Elsevier Ltd.
• Related URLs
• • https://www-sciencedirect-com.libezproxy...
• Depositing User
• Jan Collie