کد مقاله | کد نشریه | سال انتشار | مقاله انگلیسی | نسخه تمام متن |
---|---|---|---|---|
456405 | 695712 | 2013 | 11 صفحه PDF | دانلود رایگان |

This paper investigates the evidential potential of the IconCache database file when tracking activity from USB connectable devices on Windows systems. It focuses on the artifacts which are created and retained on a Windows host when executable files are either present on or run from a USB connectable device. Artifacts left in the IconCache database as a result of running executables from a DVD drive or the host itself, are also examined.It is shown that the IconCache.db stores numerous artifacts of investigative interest. These are created on system boot and added to, both when using host-based executables and when installing or using executables from other media. Executables present on USB devices, whether invoked or not, will create artifacts in the IconCache.db. file. Findings should therefore be interpreted carefully and corroborated against other evidence.
Journal: Digital Investigation - Volume 9, Issues 3–4, February 2013, Pages 200–210