ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

USB History Viewing

From ForensicsWiki
Revision as of 20:19, 20 August 2007 by Rackley (Talk | contribs)

Jump to: navigation, search

You can view a history of USB devices plugged into Windows systems (Windows 2000/XP/2003/Vista) by using USBDeview.

To do this, extract the SYSTEM file from c:\Windows\System32\config (or equivalent path.)

You can do this indirectly via Encase or any other system imaging format/type (.dd, .e01, etc) by extracting the "SYSTEM" file from the image to a local path.

Once this is complete, open up a command prompt and run USBDeview. Example:

  usbdeview.exe /regfile "c:\case number\system"

This provides information including the device name, description, last plug/unplug date & time, serial number, etc.