GithubLinkedin

USB Forensic

Some registry, event logs and folder accessed from USB need to investigate.

Registry

USB device

  • HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

USB port

  • HKLM\SYSTEM\CurrentControlSet\Enum\USB

USB Usage (Extracted from Event: Windows Forensics Logs)

Filesystem
Location
Tools or Commands

USB Device Identification

SYSTEM\CurrentControlSet\Enum\*

Registry Explorer

USB Device Information

SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_&Prod_\USBSerial\

Registry Explorer

USB Port Information

SYSTEM\CurrentControlSet\Enum\USB\VID_0EOF&PID_\USBSerial\

Registry Explorer

Drive Letter and Volume Name

SOFTWARE\Microsoft\Windows Portable Devices\Devices and SYSTEM\MountedDevices

Registry Explorer

User Information

SYSTEM\MountedDevices and NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Registry Explorer

Connection Timestamps

SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_&Prod_\USBSerial\Properties\83daxxx\0064

Registry Explorer

Disconnection Timestamps

SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_&Prod_\USBSerial\Properties\83daxxx\0066

Registry Explorer

Volume Serial Number (VSN)

SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt

Registry Explorer

Shortcut (LNK) Files

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\\Office\Recent\

Autopsy

Event Logs

System.evtx

Event log viewer

Event logs

IDs
Event Log
Context

1006

Microsoft Windows Partition/Diagnostic

The detailed information connected USB

400

Microsoft Windows Kernel-PnP/Configuration

USB was configured

410

Microsoft Windows Kernel-PnP/Configuration

USB was started

142

Microsoft Windows NTFS/Operational

Disk letter was assigned - Sumary disk space usage

Folder Access

Shellbags

Reference: Shellbags

Shellbags only record folders under a zip file if the folder was accessed in Explorer. This means seeing those folders in shellbags provides evidence that the user accessed them.

Tool

ShellbagExplorer

Jumplists

Jumplist files are hidden in Windows and won’t appear even with "Hidden items" enabled. To view them, enter their full path directly into the Windows Explorer address bar.

Reference: Jumplists

Tool

JumpList Explorer

This knowledge has been compiled from resources provided by LetsDefend.

PreviousRegistryNextWindows Disk

Last updated