Another key piece of evidence that may be useful to an analyst is data about when specific devices were attached to the system. In the scenario of a malicious insider attempting to steal confidential documents, knowing whether they utilized a USB device would be helpful. Autopsy utilizes the registry settings located on the system to identify the types of devices attached and the last time that they were used. In this case, the output of clicking Devices Attached in the left-hand pane produces the following results:

Drilling down into the Results tab, the analyst would be able to identify the type of device and the date and time that the USB device was attached:

Finally, a more detailed examination of the File Metadata would show additional data that can be utilized to reconstruct the time that the USB device was accessed on the system:

Next, let's look at the deleted files.