External USB Drives (FAT32 vs. NTFS):

  • Description: Cheats, injectors, scripts, or related tools can be stored on and executed directly from external USB flash drives or external hard drives. The choice of file system on the external drive significantly impacts the forensic traces left behind.

  • Mechanism & Evasion (FAT32 vs. NTFS):

    • NTFS: The standard, modern file system for Windows internal drives, also usable on external drives. Crucially, NTFS volumes maintain detailed logs of file system activity, including the USN Journal ($UsnJrnl) which records file creations, deletions, renames, and modifications, and often the $LogFile for metadata changes. Analyzing these logs on an NTFS-formatted USB drive can reveal evidence of recent file manipulation, even if the cheat file itself was deleted.

    • FAT32 (and exFAT): Older file systems commonly used for USB drives due to broader compatibility. Critically, FAT32 and exFAT do NOT possess a journaling system comparable to NTFS's $UsnJrnl or $LogFile. This lack of detailed, built-in logging makes tracking file operations much harder. A user could delete a cheat file from a FAT32 drive moments before or during a screenshare, leaving significantly fewer traces within the filesystem's own metadata compared to an identical action on an NTFS drive. While Prefetch or BAM might still log the execution if the cheat ran from the USB drive, proving the deletion from the FAT32 drive relies more heavily on file recovery tools or external logs.

  • Detection Considerations:

    • Identify Connected Devices: Use tools like USBDeview (Nirsoft), Echo's USB tool, or check relevant Event Logs (Kernel-PnP) and Registry keys (USBSTOR) to identify currently and previously connected USB storage devices. Look for devices connected/disconnected shortly before the screenshare.

    • Check File System: If the USB drive is present during the screenshare, check its file system type (Properties in File Explorer or Disk Management). If it's FAT32/exFAT and suspected of hosting cheats, be aware that Journal analysis is not possible.

    • Analyze Drive Contents (If Present): Scan the drive using standard techniques (Search Everything, manual inspection).

    • File Recovery (FAT32/exFAT Focus): Since journaling is absent, tools like Recuva or the filesystem browser in FTK Imager become more important for attempting to find evidence of deleted files on FAT32/exFAT drives.

    • Execution Logs: Check Prefetch, BAM, etc., for executions originating from the USB drive's letter/path.

PreviousEnvironment and Hardware BypassesNextVirtual Machines (VMs):

Last updated