top of page
Jun 32 min read

USB Artifacts: What Gets Left Behind and Where to Find It

Hey again! So, you've plugged in a USB device and opened some files. Ever wonder what traces you leave behind?


What's the Deal with MSC Devices?

What Happens?

When you open files from an MSC device (like a flash drive), you get these little LNK files. These files point back to what you opened and where it came from.


Where to Find Them?

  • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent: LNK files for all files and folders you opened.

  • C:\Users\Win 7SP1\AppData\Roaming\Microsoft\Office\Recent: Just for Microsoft Office files.

MTP Devices: A Bit Tricky

What Happens?

MTP devices (like newer smartphones) handle things differently. When you open files, Windows makes a copy and puts it in a temp folder.


Interesting Stuff:

  • The actual LNK files might point to these temp folders, not the device itself.

  • A folder named WPDNSE keeps copies of most files you've opened from the device.

Where to Find Them?

  • C:\Users\<username>\AppData\Local\Temp\WPDNSE: This is where the temp copies hang out.

File Types and Their Trails

JPG Files

  • Opened from the device? A true LNK file points right back to the device folder.

PDF, TXT, XLS Files

  • No LNK files created when opened from MTP devices. Mysterious, huh?

Quick Tips

  • MSC: Expect a LNK for every file you open. Look in Recent folders.

  • MTP: Files get copied to a temp folder. Check WPDNSE and temp folders for clues.


MTP Devices and the Mysterious WPDNSE Folder

So, you've got a Windows 7 or 8 system, and you're curious about MTP devices. Great! But there's a twist—it doesn't exist on Windows 10.


Where's My WPDNSE Folder?

Windows 7 & 8:

When you open files from an MTP device, copies get saved in


C:\Users\<Userna,e>\AppData\Local\Temp\WPDNSE\.


Each folder you open from on the MTP device gets its own GUID-named folder here.


Making Sense of GUIDs

You'll see these weird GUIDs like {02601-000-01CD-8801-7I017K017} as folder names. Without a map, they're just gibberish. But fear not! You can link these GUIDs back to the original MTP device folders using the Windows registry.


How?

  1. Dive into the registry and look for the BagMRU entries related to your MTP device.

  2. Find the folder GUIDs listed under these entries.

  3. Match them up with the GUID-named folders in your WPDNSE directory.

Quick Heads-up

  • Temporary Storage: Remember, the WPDNSE folder is temporary. Windows likes to clean it out when you reboot.


So, next time you're snooping around a computer, keep these spots in mind. You'll find some cool clues about what was opened from which device. Happy investigating!

Akash Patel

37 views0 comments

Comments

bottom of page