Table of Contents

USB Device Tracking

Many different artifacts need to be correlated / linked together
- Windows Registry: 7 different locations with some redundant data
- Setupapi logs
- Windows Event Logs: 3 different logs
- LNK & Jump List Files
- Prefetch Files

Every USB device, Windows stores:
- Make, Model, Product Version
- UniqueID / Unique Serial Number, Volume Serial Number: if the company that created the drive does not follow standards, Windows will generate a unique ID for the drive that is connected
- Type of device, class, hardware, and compatibility
- Volume GUID
- Last Drive Letter
- Volume Label
- Container ID

Windows 8+ records the dates of first and last insertion are directly available for the drive.

User Visible Items

Some easy to access artifacts on USB are the Volume Label and Drive Letter in the File Explorer. This only applies if the drive is still plugged in.

In CMD, you can find the drive letter, volume label, and volume serial number if the device is still plugged in. The Volume Serial number is subject to change if the drive has been reformatted.

dir

Device Containers

This was added in Windows 7+. Groups all device defined by a single hardware device into one container, which used to log based on port.

Each device has its own unique id and a container id

Windows Reigistry

USBSTOR

SYSTERM\ControlSet001\Enum\USBSTOR has every single drive that was attached to the system.
Format: [Type]&Vend_[Vendor]&Prod_[Product_Name]&Rev_[]

Underneath the folder listed above should be the Unique SN
- &0 -> Manufacturer SN
- otherwise it is a Windows assigned ID

SerialNumber is used to correlate with the other artifacts within the registry.
- XP has also ParentPrefixID

{83da..} --> timestamps
- 02: Drive Date - 64: Timestamp when the drive was first installed (when it was first installed)
- 65: Timestamp when the drive was installed (changes when a new updated driver, otherwise matches 64)
- 66: Timestamp Last Arrival (last seen by the computer) - 67: Timestamp of Last Removal (last removed by the computer)

MountedDevices

SYSTEM\MountedDevices
Format: Volume{[Volume GUID]}
Drive Letters + Volume GUID -> Same data found as USBSTOR
- Can say device was mounted on a specific volume. To find the drive letter, just select the drive letters to see if the information matches.

To find the most recent drive attached to a specific letter, look in the data listed in the drive letter.

Windows Portable Devices

SOFTWARE\Microsoft\Windows Portable Devices\Devices