USB-drive-forensics

The Role of USB Artifacts in IP Theft Cases

When intellectual property is stolen, it is often removed from the company network through portable storage devices like USB drives. Even if the files themselves are no longer present, USB usage leaves behind valuable traces that can help investigators piece together what happened.

Digital forensics can uncover these “artifacts”, records of USB activity, to determine when a device was connected, what it accessed, and in some cases, even which files were involved.

Why USB Artifacts Matter

USB activity artifacts can provide:

  • Connection Dates and Times: Showing exactly when a device was plugged in and removed.
  • Device Identifiers: Such as make, model, and serial number.
  • User Associations: Which user account was logged in when the device was used.
  • File Access Clues: Indirect indicators of files copied or opened from the device.

These artifacts can support or challenge statements about data handling during a suspected theft.

Common Scenarios in IP Theft Cases

  • A departing employee connects a personal USB drive and copies project files before resignation.
  • A contractor uses a USB device to bypass restricted network transfers.
  • Multiple USB devices appear in logs without company-issued inventory records.

Where to Look for USB Evidence

USB usage can be logged in multiple locations, including:

  • Windows Registry Entries storing device details and timestamps.
  • System Event Logs recording device connection events.
  • ShellBags and Link Files indicating user navigation to files on the USB drive.
  • Third-Party Security Logs from endpoint protection or data loss prevention tools.

Preserving USB Evidence

Once USB use is suspected, it’s critical to:

  • Forensically image the suspect computer.
  • Preserve event logs before they roll off.
  • Identify all connected devices and match them to authorized inventory.
  • Correlate USB use with file server or cloud activity logs.

About Swailes Computer Forensics

Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action. If you suspect USB devices were used to remove sensitive data, contact us for a discreet consultation.