Rewind, Revisit, Reinforce, Retain with OnDemand - Special Offer Available Now


To attend this webcast, login to your SANS Account or create your Account.

USB Devices and Media Transfer Protocol: Identifying the Existence of Data Exfiltration Artifacts

  • Tuesday, July 08, 2014 at 1:00 PM EDT (2014-07-08 17:00:00 UTC)
  • Please Check Back

You can now attend the webcast using your mobile device!



The prolific use of mobile phones in general and the use of these devices within corporate environments has started changing the ways examiners approach these kinds of cases. When it comes to questions surrounding potential data exfiltration, a mobile phone can be used to steal data. Mobile phones connected via USB to a workstation can provide an easy way to copy data.

Many mobile OSs are adopting Media Transfer Protocol (MTP) as the default for interfacing with the Windows workstations to which they are connected. The artifacts generated on a Windows OS when using MTP devices are different from Mass Storage Class (MSC) USB device artifacts generated (thumb and external drives). Therefore, when identifying whether data exfiltration took place from a machine, it is important to understand the differences between the artifacts generated for the aforementioned USB protocols.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.