Usb history viewing
Microsoft Windows operating systems records artifacts when USB removable storage devices (thumb drives, iPods, digital cameras, external HDD, etc.) are connected to the system.
Plug and Play Manager
When a USB removable storage device is connected to a Windows system for the first time, the Plug and Play (PnP) Manager receives the event notification, queries the device descriptor for the appropriate information to develop a device class identifier (device class ID) and attempts to locate the appropriate driver for that device.
Looking for and installing the correct driver for the device is recorded in the setupapi log file. For example:
[2007/06/10 21:25:41 1140.8 Driver Install]
#-019 Searching for hardware ID(s): usbstor\disksandisk_u3_cruzer_micro_3.27,...
This provides the local date and time that the removable storage device was first connected to the system. The Windows system will also create an entry in the Registry beneath the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\ key using the device class ID:
This identifies the class of the device. Beneath this Registry key, a unique instance ID key will be created, using either the serial number retrieved from the device's device descriptor (you can use UVCView to view the contents of the device descriptor), or, if the device does not have a serial number, using an identifier generated by the system itself (based on additional information retrieved from the device descriptor, the USB port the device was plugged into, etc...the vendor has not publicized the algorithm used to generate this identifier). For example:
Note: If the second character of the unique instance ID is a '&', then the ID was generated by the system, as the device did not have a serial number.
Note: The device descriptor is not located in the memory area of the device. While you can acquire an image of the device using any number of imaging tools, that image will not include the device descriptor. For complete documentation of the device, the device descriptor should be retrieved separately from the image acquisition process, using tools such as UVCView.
Beneath this key are several Registry values that provide information about the device itself. Of particular note is the ParentIdPrefix value; this value can be used to map to the MountedDevices Registry key in order to identify the drive letter to which the device was mounted. Beneath the MountedDevices Registry key are several values, all of which are REG_BINARY data types. With RegEdit open, select one of the values that begins with "\DosDevices\" and includes a drive letter. The value selected should be one whose data begins with "5C 00 3F 00 3F 00". Right-click the value name and choose "Modify". When the "Edit Binary Value" dialog appears, you will see the binary data displayed as if it were viewed in a hex viewer. On the right-most column, you should see what appears as:
The portion in bold is the ParentIdPrefix for the device.
In order to determine the last time the device was connected to the system, we have to navigate to the following Registry key:
Beneath this key are two other keys of interest:
These are Device Class GUID keys for Disks and Volumes, respectively. Beneath the Disk GUID key are several subkeys that appear as follows (the key name is wrapped):
The bold portion of the key name is the devices unique instance ID, which in this case, is also the device's serial number. The last written time of this key is the last attach time (first attach during last boot) of the device in UTC time.
Similarly, the Volume GUID key contains subkeys for each volume that was mounted on the system, and those subkey names appear as follows:
The bold portion of the key name is the ParentIdPrefix value for the device.
To determine when the device was last connected to the system, obtain the LastWrite time value from the respective Disk and Volume GUID Registry keys for the device.
Many thumb drives that are available come with the capability of being used as a portable desktop. In essence, the device includes a suite of applications (web browser, etc.) that have been specifically configured to run from the device, as well as store data within the memory area of the device. These applications are stored within a CDFS partition on the device, and appear with a device class ID (beneath the Enum\USBStor Registry key) similar to the following:
By default, Windows systems are configured to parse autorun.inf files found in the root of certain media, and to execute the "load=" and "run=" lines of those files for CDFS volumes (among others). However, by default, the systems are configured to NOT execute the "load=" and "run=" lines for autorun.inf files located on removable media, such as thumb drives (this behavior is controlled by a Registry entry and can be modified).
Event Log Entries in Windows 10
Security Log Audit Plug and Play Activity
6416: A new external device was recognized by the System.
6419: A request was made to disable a device.
6420: A device was disabled.
6421: A request was made to enable a device.
6422: A device was enabled.
6423: The installation of this device is forbidden by system policy.
6424: The installation of this device was allowed, after having previously been forbidden by policy.
1006: May contain Manufacturer, Model, Serial, and raw Partition Table, MFT, and VBR data.
- USBDeview is a tool that automates the viewing of USB device history for Windows 2000/XP/2003/Vista systems. It can recover the device name, description, last plug/unplug date & time, and serial number.
- UVCView or the USB Video Class descriptor viewer is a tool in the Windows Driver Kit (WDK) that allows you to view the descriptors of any attached USB device. It runs on most recent Windows platforms, both 32bit and 64bit.
- Thesycon USB Descriptor Dumper is a free tool to display USB descriptors using Windows systems.
- USB Key Analysis vs. USB Drive Enclosure Analysis for Windows XP, Vista, and Windows 7.
- USB Forensic Tracker has 32bit and 64bit Windows versions. Allows the parsing of Windows and Apple OSX USB activity. Able to parse from the following sources : Registry, Windows event logs, setupapi.log files and OSX system logs
- Hacking Exposed Computer Forensics Blog Entry Considerations with Windows 10 USB attachments.