Forensics Analysis Tool
U3 was a joint venture between SanDisk and M-
Systems producing a proprietary method of launching Windows applications from special USB flash drives. Flash drives adhering to the U3 specification are termed "U3 smart drives". U3 smart drives come preinstalled with the U3 Launchpad, which looks similar to the Windows OS start menu and controls program installation. Applications that comply with U3 specifications are allowed to write files or registry information to the host computer, but they must remove this information when the flash drive is ejected. Customizations and settings are instead stored with the application on the flash drive.
Ever been told not to put an unknown thumb drive you found lying outside your building in a work computer?
This is why.
The method to the madness follows:
On the storage partition you create a text file with notepad that ends with the .dat file extension. In this case I used u3dir.dat. You do not need to type anything in the file. It just needs to be created on the storage partition.
Next you have to download and install the Launchpad software from SanDisk.
Next we will create a VBScript to put in the CD portion of the drive that looks for the file name to determine the drive letter for the storage partition.
The CD drive is setup as follows:
On any computer you can copy the cmd.exe file to use somewhere else. To avoid confusion I renamed mine to
TK_cmd.exe.
The AutoRun.inf file has the following lines:
[AutoRun] open=TK_cmd.exe open=DDScript.vbs
An INF file is a text file that contains all the information that device installation components use to install a driver. Windows installs drivers using INF files.
This file says look for TK_cmd.exe and open it then look for DDScript.vbs and open it and then it is done.

Forensics Analysis Tool
The Code:
The DDScript.vbs contains the following:
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("Wscript.shell")
Set colDrives = objFSO.Drives
For Each objDrive in colDrives
If objFSO.FileExists(objDrive.DriveLetter & ":\u3ir.dat") Then strPath = objDrive.DriveLetter & ":"
End If objShell.Run ".\u3ir\forensicsstart.bat " & strPath
Next
History:
To list and process a directory's contents, you can use MS-DOS commands or the File System Object (FSO) model's FileSystemObject object.
However, you can't use these tools to access the contents of special file-system folders such as Printers and
Recycle Bin. Instead, you need to use the Shell object model.
You can use Shell objects to access not only special folders but also file-system directories. In addition, you can use Shell to programmatically drive the Windows shell and programmatically access all of Windows Explorer's features.
The FileSystemObject, or FSO, is an often used component to access a file system. For example, you can create files, read the contents of files, determine whether or not a folder or file exists, iterate through the contents of a folder or directory, or any other number of file system-related tasks.
Set objFSO = CreateObject("Scripting.FileSystemObject")
To create a Windows shell so you can access folders:
Set objShell = CreateObject("Wscript.shell")
You want to list all available drives on the system so you create a container for the names:
Set colDrives = objFSO.Drives
To populate the colDrives you need to run a For loop to search for all the drives and search the contents.
For Each objDrive in colDrives
Next

Forensics Analysis Tool
Since we only want to get the drive with letter for the u3dir.dat file we can specify this in an IF statement withing the For loop:
If objFSO.FileExists(objDrive.DriveLetter & ":\u3ir.dat") Then
End If strPath = objDrive.DriveLetter & ":" objShell.Run ".\u3ir\forensicsstart.bat " & strPath
The IF statement determines which drive letter has the u3dir.dat file and creates a string path wit hthe letter and adds the “ : ” to it since it only can pull the letter.
It then runs the forensics start.dat file (in the shell that was previously created) by this line: objShell.Run ".\u3ir\forensicsstart.bat " & strPath
The .bat file start by making a directory to output files to on the drive letter set by strPath.
It then creates another directory with the computer name as the directory name so you know which system each file pertains to.
The u3dir\Tools directory on the CD portion has the tools you will run on the system.
The rest of the file opens each tool, accepts the EULA so the command prompt doesn’t hang.
Then the outputs are piped with >> to the two directories created at the start of the file.
The file contains strings that start with %1. When used in a command line, script, or batch file a %1 is used to represent a variable or matched string.