USB Forensics - Foren-Ken/tech-journal GitHub Wiki
Basic USB Artifacts:
- Make, Model, Production Number
- SerialNumber/UniqueID
- Type of device
- Volume GUIDs
- Last Drive Letter
- Volume S/N
- Volume Label
- Container ID
- Dates of first and last insertion (Win8+)
USB Registry Related Keys:
| Location | Purpose |
|---|---|
| SYSTEM\CurrentControlSet\Enum\USBSTOR|Contains the ContainerID, S/N (Only if &0 is at the end), and "FriendlyName" or human readable name. | |
| SYSTEM\CurrentControlSet\Enum\USBSTOR[type of usb][S/N of target USB]\Properties{83da...}* | Each file within this shows a value. File "64" shows first install of driver, "65" shows last installation of the newest driver, "66" shows the last arrival, "67" shows last removal. |
| Normal Artifacts: | |
| SYSTEM\MountedDevices | Shows information for every volume mounted on the machine. This includes much of the information from USBSTOR. This can be used with MountPoints2 to confirm the user who plugged in the USB. |
| Win 7: SOFTWARE\Microsoft\Windows Portable Devices\Device\Devices | Contains information of mounting letters and names. |
| Win 8: SOFTWARE\Microsoft\Windows Portable Devices\Devices | Contains information of mounting letters and names |
| NTUSER.DAT: Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 | Shows Volume GUIDs. These can be used to confirm under which account the USB were connected from when paired with MountedDevices. |
| SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt | Has information about volume levels and S/N. |
| Name | Purpose |
|---|---|
| C:\Windows\inf\Setupapi.dev.log | Stores info which was present on the Registry. (Device Model and S/N) |
| Windows Event Logs | EventId 112. |
| LNK and Jumplists | See LNK and JumpList Wiki Entries |
| Prefetch | See Prefetch Entries. |