USB Devices and Media Transfer Protocol: Identifying the Existence of Data Exfiltration Artifacts

  • Tuesday, 08 Jul 2014 1:00PM EDT (08 Jul 2014 17:00 UTC)
  • Speaker: NULL

The prolific use of mobile phones in general and the use of these deviceswithin corporate environments has started changing the ways examinersapproach these kinds of cases. When it comes to questions surroundingpotential data exfiltration, a mobile phone can be used to steal data.Mobile phones connected via USB to a workstation can provide an easy wayto copy data.

Many mobile OSs are adopting Media Transfer Protocol (MTP) as the defaultfor interfacing with the Windows workstations to which they are connected.The artifacts generated on a Windows OS when using MTP devices aredifferent from Mass Storage Class (MSC) USB device artifacts generated(thumb and external drives). Therefore, when identifying whether dataexfiltration took place from a machine, it is important to understand thedifferences between the artifacts generated for the aforementioned USBprotocols.