top of page
Jun 121 min read

Tracking USB Key Temporal Data on Windows Systems


When it comes to USB key forensics, understanding the timeline of device connections and disconnections can be crucial. Let's dive into the three key temporal data points you can track:


  1. First Time Device Connected

  2. Last Time Device Connected

  3. Removal Time

New Times in Windows 8+ Registry Structure

In Windows 8 and above, you'll find additional timestamp information in the USBStor registry key, specifically under the Properties key with the GUID {83da6326-97a6-4088-9453-a1923f573b29}.


  • 0064: First Install Date of the device (Windows 7 and Win8)

  • 0066: Last Connected Date of the device (Windows 8+ only)

  • 0067: Last Removal Date (Windows 8+ only)



Locations to Find Temporal Data

First Install Date

  • Registry Path: SYSTEM\CurrentControlSet\Enum\USBSTOR\Device-Class\Device-SerialNumber\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064

Last Connected Date

  • Registry Path: SYSTEM\CurrentControlSet\Enum\USBSTOR\Device-Class\Device-SerialNumber\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066

Last Removal Date

  • Registry Path: SYSTEM\CurrentControlSet\Enum\USBSTOR\Device-Class\Device-SerialNumber\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067

Identifying First Time Device Was Installed

  1. Search for Unique Serial Number:

  • Use the unique Serial Number of the USB device to search within setupapi.dev.log.

  • This will allow you to identify when the device was first plugged into the Windows system. XP: C:\Windows\setupapi.log Vista+: C:\Windows\inf\setupapi.dev.log



Alternative Locations for Last Time Device Connected

  • Serial Number Key

  • Registry Path: SYSTEM\CurrentControlSet\Enum\USB\VID XXXX&PID YYYY

  • Look for the last written time of the Serial Number Key

  • Volume GUID

  • Registry Path: NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{GUID}

  • Look for the last written time of the Volume GUID

Why This Data is Useful

  • Validation: Confirms information from other sources like setupapi.dev.log and MountPoints2 in the NTUSER.DAT hive.

  • Device Removal: This is the first logging method that shows when a device was removed, which is a significant find.

Converting Hex Timestamp to Human-Readable Date

You'll notice that these timestamps are in Windows 64-Bit Hex Value format. You can convert these to human-readable dates using various tools.


Akash Patel

29 views0 comments

Comments

bottom of page