top of page

USB Device Profiling: How to Track Key Timestamps

Jun 12, 20242 min read

Updated: Jan 24


When it comes to USB key forensics, understanding the timeline of device connections and disconnections can be crucial.


Key Timestamps to Track:

Windows starts recording three important timestamps for USB devices:


  1. First Time Device Connected

  2. Last Time Device Connected

  3. Removal Time

New Times in Windows 8+ Registry Structure

In Windows 8 and above, you'll find additional timestamp information in the USBStor registry key, specifically under the Properties key with the GUID {83da6326-97a6-4088-9453-a1923f573b29}.


  • 0064: First Install Date of the device (Windows 7 and Win8)

  • 0066: Last Connected Date of the device (Windows 8+ only)

  • 0067: Last Removal Date (Windows 8+ only)


This GUID appears in several device categories such as HID (Human Interface Devices), USBSTOR (USB storage devices), MTP (Media Transfer Protocol), and others.

Locations to Find Timestamps Data

First Install Date

  • Registry Path: SYSTEM\CurrentControlSet\Enum\USBSTOR\Device-Class\Device-SerialNumber\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064

Last Connected Date

  • Registry Path: SYSTEM\CurrentControlSet\Enum\USBSTOR\Device-Class\Device-SerialNumber\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066

Last Removal Date

  • Registry Path: SYSTEM\CurrentControlSet\Enum\USBSTOR\Device-Class\Device-SerialNumber\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067

--------------------------------------------------------------------------------------------------


How It Works in Modern Windows Systems:

Starting from Windows 7, the First Time Device Connected timestamp was introduced. With Windows 8 and newer versions, additional timestamps were added to track the Last Time Device Connected and Removal Time.

Timestamps are stored in FILETIME format, which is a way of recording time in 64-bit values.


Now Question you willl ask what if i am working on older version

Fair Point But i got you convered

If you’re working with Windows XP or Windows 7, you won’t find the Last Removal Time but you can still use other logs like

XP:                     C:\Windows\setupapi.log
Vista+:               C:\Windows\inf\setupapi.dev.log

The logs to track when a device was first connected. Keep in mind that older systems use different methods for tracking connection times.


--------------------------------------------------------------------------------------------------


How to Make the Process Faster:

Use Registry Explorer  this will help speed up the process.


This will help you piece together a timeline of USB device activity and track any suspicious behavior during your investigation.

--------------------------------------------------------------------------------------------------

Conclusion:

Tracking USB device activity is a powerful tool for forensic examiners. By utilizing the registry’s timestamps, you can quickly find when a device was connected, removed, and even when it was first installed.


Always document the key details of each device, and cross-reference timestamps to build a clear timeline of event


---------------------------------------------Dean------------------------------------------

38 views0 comments

Recent Posts

See All

Komentar

bottom of page