USB History Viewing

From ForensicsWiki
Revision as of 12:36, 21 August 2007 by Keydet89 (Talk | contribs)

Jump to: navigation, search

Windows systems (Microsoft Windows 2000/XP/2003/Vista) will record artifacts as a result of USB removable storage devices (thumb drives, iPods, digital cameras, external HDD, etc.) being connected to the system.

When a USB removable storage device is connected to a Windows system for the first time, the Plug and Play (PnP) Manager receives the event notification, queries the device descriptor for the appropriate information to develop a device class identifier (device class ID) and attempts to locate the appropriate driver for that device.

Looking for and installing the correct driver for the device is recorded in the setupapi.log file. For example:

   [2007/06/10 21:25:41 1140.8 Driver Install]
   #-019 Searching for hardware ID(s): usbstor\disksandisk_u3_cruzer_micro_3.27,...

This provides the date and time that the removable storage device was first connected to the system. The Windows system will also create an entry in the Registry beneath the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\ key using the device class ID:


You can view a history of USB devices plugged into Windows systems (Windows 2000/XP/2003/Vista) by using USBDeview.

To do this, extract the SYSTEM file from c:\Windows\System32\config (or equivalent path.)

You can do this indirectly via Encase or any other system imaging format/type (.dd, .e01, etc) by extracting the "SYSTEM" file from the image to a local path.

Once this is complete, open up a command prompt and run USBDeview. Example:

  usbdeview.exe /regfile "c:\case number\system"

This provides information including the device name, description, last plug/unplug date & time, serial number, etc.