top of page
Feb 282 min read

Artifacts for USB or Drive Usage Part 1: Key Identification || First/Last Times || User

1.Key Identification

USB devices are commonly used for data transfer and storage, making them a crucial aspect of digital forensics investigations. By tracking USB devices plugged into a machine, investigators can gather valuable information about the usage history and activity on a system


Location of USB Device Information:

USB device information is stored in the Windows Registry under the following locations:

  1. SYSTEM\CurrentControlSet\Enum\USBSTOR

  2. SYSTEM\CurrentControlSet\Enum\USB


Query using CMD:

  1. Reg Query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

  2. Reg Query HKLM\SYSTEM\CurrentControlSet\Enum\USB


Manually collect artifact using CMD: or can use Kape

  1. Reg Save HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR C:\Users\User\Downloads\output.hiv

2. .Reg Save HKLM\SYSTEM\CurrentControlSet\Enum\USB C:\Users\User\Downloads\output.hiv


After collecting Artifact registry explorer can be used to investigate:

Interpretation:

• Identify vendor, product, and version of a USB device plugged into a machine.

• Identify a unique USB device plugged into the machine.

• Determine the time a device was plugged into the machine.

• Devices that do not have a unique serial number will have an “&” in the second character of the

serial number.

-------------------------------------------------------------------------------------------------------------


2.First/Last Times

USB devices play a significant role in digital forensics investigations, and understanding when these devices were first and last connected to a Windows machine can provide valuable insights into user activity and potential security incidents.


First Time Connection:

Location:

  • Plug and Play Log Files:

  • Windows XP: C:\Windows\setupapi.log

  • Windows 7-10: C:\Windows\inf\setupapi.dev.log


Query using CMD:

  1. C:\Windows\INF>setupapi.dev.log (it is file so if you enter it will open with notepad)


Manually collect artifact using CMD: or can use Kape

  1. copy C:\Windows\INF\setupapi* C:\Users\User\Downloads\Shell


Interpretation:

• Search for Device Serial Number

• Log File times are set to local time zone


Last Time : - NTUSER.DAT Hive:

Location:

NTUSER//Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{GUID}


Query using CMD:

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2"


Manually collect artifact using CMD: or can use Kape

  1. Reg Save "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" C:\Users\User\Downloads\output.hiv


Interpretation:

Using the Serial Number as the marker, you can determine the time a specific USB device was last connected to the local machine.

-------------------------------------------------------------------------------------------------------------


3. User

USB devices often play a critical role in forensic investigations, and identifying the user who used a particular USB device can provide valuable insights into user activity and potential security incidents.


Location:

  • GUID from SYSTEM\MountedDevices:

  • This GUID will be used to identify the user who plugged in the USB device.

  • NTUSER.DAT Hive:

  • Path: NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2


Query using CMD:

Command

• Look for GUID from SYSTEM\MountedDevices

reg query HKLM\SYSTEM\MountedDevices

GUID

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2"


Save details using reg save and provided path which registry you want to save and destination where you want to store in case of manual extraction of artifact or you can use Kape.


Interpretation:

Identify GUID from SYSTEM\MountedDevices:

  • The first step is to locate the GUID associated with the USB device of interest from the SYSTEM\MountedDevices registry key. Locate User's Personal MountPoints Key:

  • Once the GUID is identified, it is used to locate the user's personal mountpoints key in the NTUSER.DAT hive, specifically in the Explorer\MountPoints2 subkey. Determine Last Write Time:

  • The last write time of the user's mountpoints key corresponds to the last time the USB device was plugged into the machine by that user. User Attribution:

  • By examining the user's mountpoints key, forensic investigators can attribute the usage of the USB device to a specific user account.

-------------------------------------------------------------------------------------------------------------


39 views0 comments

Comments

bottom of page