USB History Viewing

From Forensics Wiki
Revision as of 15:15, 20 August 2007 by Rackley (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

You can view a history of USB devices plugged into Windows systems (Windows 2000/XP/2003/Vista) by using USBDeview.

To do this, extract the SYSTEM file from c:\Windows\System32\config (or equivalent path.)

You can do this indirectly via Encase or any other system imaging format/type (.dd, .e01, etc) by extracting the "SYSTEM" file from the image to a local path.

Once this is complete, open up a command prompt and run USBDeview. Example:

  usbdeview.exe /regfile "c:\case number\system"

This provides information including the device name, description, last plug/unplug date & time, serial number, etc.