# USB Forensic

### Registry

####  USB device

* `HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR`

**USB port**

* `HKLM\SYSTEM\CurrentControlSet\Enum\USB`

#### USB Usage (Extracted from [event-windows-forensics-logs](https://walterdrake.gitbook.io/mysite/windows-forensics-analysis/event-windows-forensics-logs "mention"))

<table><thead><tr><th>Filesystem</th><th width="283.0001220703125">Location</th><th>Tools or Commands</th></tr></thead><tbody><tr><td>USB Device Identification</td><td><code>SYSTEM\CurrentControlSet\Enum\*</code></td><td>Registry Explorer</td></tr><tr><td>USB Device Information</td><td><code>SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&#x26;Ven_&#x26;Prod_\USBSerial\</code></td><td>Registry Explorer</td></tr><tr><td>USB Port Information</td><td><code>SYSTEM\CurrentControlSet\Enum\USB\VID_0EOF&#x26;PID_\USBSerial\</code></td><td>Registry Explorer</td></tr><tr><td>Drive Letter and Volume Name</td><td><code>SOFTWARE\Microsoft\Windows Portable Devices\Devices</code> and <code>SYSTEM\MountedDevices</code></td><td>Registry Explorer</td></tr><tr><td>User Information</td><td><code>SYSTEM\MountedDevices</code> and <code>NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2</code></td><td>Registry Explorer</td></tr><tr><td>Connection Timestamps</td><td><code>SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&#x26;Ven_&#x26;Prod_\USBSerial\Properties\83daxxx\0064</code></td><td>Registry Explorer</td></tr><tr><td>Disconnection Timestamps</td><td><code>SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&#x26;Ven_&#x26;Prod_\USBSerial\Properties\83daxxx\0066</code></td><td>Registry Explorer</td></tr><tr><td>Volume Serial Number (VSN)</td><td><code>SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt</code></td><td>Registry Explorer</td></tr><tr><td>Shortcut (LNK) Files</td><td><code>%USERPROFILE%\AppData\Roaming\Microsoft\Windows\\Office\Recent\</code></td><td>Autopsy</td></tr><tr><td>Event Logs</td><td><code>System.evtx</code></td><td>Event log viewer</td></tr></tbody></table>

### Event logs

| IDs  | Event Log                                  | Context                                |
| ---- | ------------------------------------------ | -------------------------------------- |
| 1006 | Microsoft Windows Partition/Diagnostic     | The detailed information connected USB |
| 400  | Microsoft Windows Kernel-PnP/Configuration | USB was configured                     |
| 410  | Microsoft Windows Kernel-PnP/Configuration | USB was started                        |
| 142  | Microsoft Windows NTFS/Operational         | Sumary disk space usage                |
| 145  | Microsoft Windows NTFS/Operational         | Disk letter was assigned               |

### Folder Access

#### Shellbags

Reference: [#shellbags](https://walterdrake.gitbook.io/mysite/windows-forensics-analysis/registry#shellbags "mention")

Shellbags only record folders under a zip file if the folder was accessed in Explorer. This means seeing those folders in shellbags provides evidence that the user accessed them.

<details>

<summary>Tool</summary>

**ShellbagExplorer**&#x20;

</details>

#### Jumplists

Jumplist files are hidden in Windows and won’t appear even with "Hidden items" enabled. To view them, enter their full path directly into the Windows Explorer address bar.

Reference: [#jumplists](https://walterdrake.gitbook.io/mysite/windows-forensics-analysis/windows-disk#jumplists "mention")

<details>

<summary>Tool</summary>

**JumpList Explorer**

</details>

***

{% hint style="success" %}
This knowledge has been compiled from resources provided by [LetsDefend](https://letsdefend.io/).
{% endhint %}