Automatic Forensic Imaging of a Virtual USB Device with Emulated User Interaction

Abstract

The bird’s-eye view of the digital forensic process is the acquisition and preservation of the evidence, the analysis of the acquired data, and the presentation of the findings. Forensic practitioners need a hands-on approach to investigate with high-quality standards. Among the ways to produce labs and demonstrations, there is forensic imaging of USB devices where the forensic expert has planted, for instance, suspicious files. Such a process is time-consuming. We intend to programmatically write a scenario of user actions rather than manually perform them. It would be much easier if we get rid of the USB device and use a virtual USB-like disk image file. The current study describes how we have automatically generated user digital artifacts on a USB-like disk image file. A host OS script would control a pre-configured VM and a guest agent. That agent would take care of the emulation of a user’s scenario.