Zöllner, JoshuaPetschke, DmitrySchinner, AlexanderWeber, KristinMayer, Manuel2021-12-142021-12-142021978-3-88579-708-1https://dl.gi.de/handle/20.500.12116/37741The aim of this work is to create a completely new method for analysing the physical access to USB mass storage devices and to reconstruct the file access from the logged data. This is achieved by replacing a real USB stick with a full software simulation based on a Raspberry PI Zero using USB gadget mode. To achieve full information, we extended the logging capabilities of the Linux kernel driver. This allows to log position and size of each reading operation at the lowest possible level. For write operation, the written data is logged, too. This enables logging completely independent of the operating system or file system and allows a forensic image to be calculated that has time as an additional dimension. Further advantages of this method are that it is completely undetectable from the host computer and random accesses bypassing a file system can also be logged. A reconstruction of the original file access is shown and the possibilities for new attack vectors are discussed.enDigital forensicsData TransferFile System AnalysisProtocol Reverse EngineeringForensic ImageUSB Software-Defined Mass Storage Device10.18420/informatik2021-0731617-5468