Difference between revisions of "USB History Viewing"

From ForensicsWiki
Jump to: navigation, search
(New page: You can view a history of USB devices plugged into Windows systems (Windows 2000/XP/2003/Vista) by using [http://www.nirsoft.net/utils/usb_devices_view.html USBDeview]. To do this, extrac...)
 
Line 10: Line 10:
  
 
This provides information including the device name, description, last plug/unplug date & time, serial number, etc.
 
This provides information including the device name, description, last plug/unplug date & time, serial number, etc.
 +
 +
[[Category:Howtos]]

Revision as of 16:19, 20 August 2007

You can view a history of USB devices plugged into Windows systems (Windows 2000/XP/2003/Vista) by using USBDeview.

To do this, extract the SYSTEM file from c:\Windows\System32\config (or equivalent path.)

You can do this indirectly via Encase or any other system imaging format/type (.dd, .e01, etc) by extracting the "SYSTEM" file from the image to a local path.

Once this is complete, open up a command prompt and run USBDeview. Example:

  usbdeview.exe /regfile "c:\case number\system"

This provides information including the device name, description, last plug/unplug date & time, serial number, etc.