The windows IconCache.db: A resource for forensic artifacts from USB connectable devices

This paper investigates the evidential potential of the IconCache database file when tracking activity from USB connectable devices on Windows systems. It focuses on the artifacts which are created and retained on a Windows host when executable files are either present on or run from a USB connectable device. Artifacts left in the IconCache database as a result of running executables from a DVD drive or the host itself, are also examined.It is shown that the IconCache.db stores numerous artifacts of investigative interest. These are created on system boot and added to, both when using host-based executables and when installing or using executables from other media. Executables present on USB devices, whether invoked or not, will create artifacts in the IconCache.db. file. Findings should therefore be interpreted carefully and corroborated against other evidence.