USBDetective

CompoundCompoundv1

Author: Kevin Pagano

description

Collects files that can be input into USB Detective for parsing

includes (7)

USBDevicesLogs 3 paths →

RegistryHives

EventLogs 3 paths →

LNKFilesAndJumplists 8 paths →

Amcache 4 paths →

paths

74 pathsfrom 7 targets

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Collection Script
# Target: USBDetective (Compound Target)
# Use KAPE for compound target collection:
# kape.exe --tsource C: --tdest D:\Evidence --target USBDetective

Write-Host "For compound targets, use KAPE directly for best results." -ForegroundColor Yellow

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

Note: This is a compound target that references 5 other targets. KAPE will automatically collect all referenced artifacts.

› cyberchef recipes

Registry Binary
Decode binary registry values
open in cyberchef(opens in new tab)

Open in CyberChef to decode values extracted from this artifact.

references

For more information on USB Detective go here: https://usbdetective.com/features/

// description

// includes (7)

// paths

// collection commands

// references

description

includes (7)

paths

collection commands

references