search
LinkedinTryHackme

USB Forensics

1. What Is USB Forensics & Why It Matters

  • USB devices (pendrives, external HDDs) are common vectors for data exfiltration or malicious payload delivery.

  • Even after a USB is removed, Windows keeps traces (in registry, setup logs, mounted devices) that are extremely valuable for forensic investigators.

  • Key questions USB forensics helps answer: Which device was connected? When was it connected/removed? Which user account did it belong to?

2. Main USB Artifacts (Registry + Logs)

Artifact
Location
What It Reveals

USBSTOR

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

Vendor ID, Product ID, Serial Number — identifies the physical USB device.

USB Device Classes

HKLM\SYSTEM\CurrentControlSet\Enum\USB

Information about all types of plugged USB devices (not just mass storage) — e.g. VID & PID.

Connection / Removal Timestamps

Under USBSTOR’s device key, in a GUID properties subkey (e.g. {83da6326-…})

Values like 0064 (first connection), 0066 (last connection), 0067 (last removal) give time info.

Mounted Devices

HKLM\SYSTEM\MountedDevices

Maps device serial / GUID to drive letter or volume GUID.

Per-User Mount Points

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Shows which user account mounted a particular device GUID / volume.

SetupAPI Logs

C:\Windows\inf\setupapi.dev.log

Records device installation events; useful to find when a USB was first installed.

3. Investigation Workflow — USB Forensics

  1. Collect Forensic Evidence

    • Acquire SYSTEM hive from the suspect machine.

    • Acquire the user’s NTUSER.DAT hive.

    • Capture relevant log files (especially setupapi.dev.log).

  2. Parse & Analyze Registry

    • Open the SYSTEM hive using a registry tool (e.g., Registry Explorer).

    • Navigate to Enum\USBSTOR to list all previously connected storage devices, and extract serials, vendor/product info.

    • Check the subkey for connection timestamps (0064, 0066, etc.).

    • Go to MountedDevices to correlate device GUID/serial with drive letters or volume GUIDs.

    • In the NTUSER hive, check MountPoints2 to identify which user account mounted which device.

  3. Examine SetupAPI Logs

    • Search for the serial number / device instance ID in setupapi.dev.log to find the first installation time.

    • Correlate these events with the registry timestamps for a more accurate timeline.

  4. Correlate Data & Build Timeline

    • Combine registry data + log entries to build a timeline: first install → first connect → last removal.

    • Map which device belonged to which user by combining serial / GUID + MountPoints2 info.

    • If you have file system images from the USB, hash important files (if applicable) to tie them to that device.

  5. Report Findings

    • Document device identifiers (VID, PID, serial).

    • Show timeline of connection / removal.

    • Link user accounts to device usage.

    • Highlight any suspicious patterns (e.g., USB only used outside business hours, many different devices, etc.).

4. Challenges & Anti-Forensics Considerations

  • Some attackers / users may delete or modify registry entries to hide traces.

  • Devices without serial numbers may use autogenerated IDs, making correlation harder.

  • Encrypted or proprietary USB-based devices may not show up clearly in USBSTOR.

  • Log retention (e.g. setupapi logs) might be limited or overwritten, so early collection is important.

PreviousUsrClass.dat & ShellBagsNextEvidence of Execution

Last updated