Forensic Computing: Use of Linux Log Data in USB Portable Storage Device Artefact Analysis

Kemble, A. (2008). Forensic Computing: Use of Linux Log Data in USB Portable Storage Device Artefact Analysis. Student dissertation for The Open University module M801 MSc in Software Development Research Dissertation.

Please note that this student dissertation is made available in the format that it was submitted for examination, thus the author has not been able to correct errors and/or departures from academic standards in areas such as referencing.



Portable storage devices (PSDs) can be very useful but they pose a big security risk. News reports regularly describe companies and government departments losing personal and confidential data. The consequences can involve potential for identity fraud, contract termination and threats to national security. In the event of suspected security breach an organisation may investigate to determine the extent of the problem and find those responsible. Most computer use results in artefacts remaining on the computer long after the activity occurred. These artefacts may be used in a forensic investigation to identify the actions that took place. In an investigation of USB portable storage devise usage, the user, storage device, time of use and purpose would need to be determined to identify a case of misuse. A series of experiments were performed to study the data available on a Linux computer with various logging configurations. A forensic investigation method was adopted from the current literature and evolved during the project. The results show the default configuration of a given Linux distribution does not provide enough evidence to satisfy a forensic investigation into USB flash drive usage, but improvements can be made by modifying the logging software configuration. The project delivers an evaluation of the native Linux logging software and provides a recommendation of the most effective at recording PSD artefacts. The project also provides a tested investigation procedure that helps determine what PSD usage has taken place on a Linux computer.

Viewing alternatives

Download history


Public Attention

Altmetrics from Altmetric

Number of Citations

Citations from Dimensions

Item Actions