# USB Forensics

**1. What Is USB Forensics & Why It Matters**

* USB devices (pendrives, external HDDs) are common vectors for data exfiltration or malicious payload delivery. 
* Even after a USB is removed, Windows keeps traces (in registry, setup logs, mounted devices) that are extremely valuable for forensic investigators. 
* Key questions USB forensics helps answer: *Which device was connected?* *When was it connected/removed?* *Which user account did it belong to?*

**2. Main USB Artifacts (Registry + Logs)**

<table><thead><tr><th>Artifact</th><th width="260.176025390625">Location</th><th>What It Reveals</th></tr></thead><tbody><tr><td><strong>USBSTOR</strong></td><td><code>HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</code></td><td>Vendor ID, Product ID, Serial Number — identifies the physical USB device. </td></tr><tr><td><strong>USB Device Classes</strong></td><td><code>HKLM\SYSTEM\CurrentControlSet\Enum\USB</code></td><td>Information about all types of plugged USB devices (not just mass storage) — e.g. VID &#x26; PID. </td></tr><tr><td><strong>Connection / Removal Timestamps</strong></td><td>Under USBSTOR’s device key, in a GUID properties subkey (e.g. <code>{83da6326-…}</code>)</td><td>Values like <code>0064</code> (first connection), <code>0066</code> (last connection), <code>0067</code> (last removal) give time info. </td></tr><tr><td><strong>Mounted Devices</strong></td><td><code>HKLM\SYSTEM\MountedDevices</code></td><td>Maps device serial / GUID to drive letter or volume GUID. </td></tr><tr><td><strong>Per-User Mount Points</strong></td><td><code>NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2</code></td><td>Shows which user account mounted a particular device GUID / volume. </td></tr><tr><td><strong>SetupAPI Logs</strong></td><td><code>C:\Windows\inf\setupapi.dev.log</code></td><td>Records device installation events; useful to find when a USB was first installed. </td></tr></tbody></table>

**3. Investigation Workflow — USB Forensics**

1. **Collect Forensic Evidence**
   * Acquire SYSTEM hive from the suspect machine.
   * Acquire the user’s NTUSER.DAT hive.
   * Capture relevant log files (especially `setupapi.dev.log`).
2. **Parse & Analyze Registry**
   * Open the SYSTEM hive using a registry tool (e.g., Registry Explorer).
   * Navigate to `Enum\USBSTOR` to list all previously connected storage devices, and extract serials, vendor/product info.
   * Check the subkey for connection timestamps (`0064`, `0066`, etc.).
   * Go to `MountedDevices` to correlate device GUID/serial with drive letters or volume GUIDs.
   * In the NTUSER hive, check `MountPoints2` to identify which user account mounted which device.
3. **Examine SetupAPI Logs**
   * Search for the serial number / device instance ID in `setupapi.dev.log` to find the first installation time.&#x20;
   * Correlate these events with the registry timestamps for a more accurate timeline.
4. **Correlate Data & Build Timeline**
   * Combine registry data + log entries to build a timeline: *first install → first connect → last removal*.
   * Map which device belonged to which user by combining serial / GUID + MountPoints2 info.
   * If you have file system images from the USB, hash important files (if applicable) to tie them to that device.
5. **Report Findings**
   * Document device identifiers (VID, PID, serial).
   * Show timeline of connection / removal.
   * Link user accounts to device usage.
   * Highlight any suspicious patterns (e.g., USB only used outside business hours, many different devices, etc.).

**4. Challenges & Anti-Forensics Considerations**

* Some attackers / users may delete or modify registry entries to hide traces.
* Devices without serial numbers may use autogenerated IDs, making correlation harder.&#x20;
* Encrypted or proprietary USB-based devices may not show up clearly in USBSTOR.
* Log retention (e.g. setupapi logs) might be limited or overwritten, so early collection is important.