Updated on Jan 24, 2025
USB devices play a crucial role in digital forensics and IT security. Whether you're investigating a security incident, checking for unauthorized device usage, or simply maintaining logs, auditing USB device history is essential.
One of the best places to start is the Windows Registry, specifically the SYSTEM\CurrentControlSet\Enum\USB key. Let’s break it down in an easy-to-follow manner.
-----------------------------------------------------------------------------------------------------------
USB Registry Key
Understanding the USB Registry Key
The SYSTEM\CurrentControlSet\Enum\USB key tracks all USB devices that have been connected to the system.
USBSTOR (Mass storage devices like flash drives and external hard drives)
UASP (Advanced storage devices)
MTP/PTP (Smartphones, digital cameras)
HID (Keyboards, mice, game controllers)
USB Hubs (External USB hubs for multiple connections)
This registry key gives investigators a broad overview of USB activity on a machine, helping to track down unauthorized or suspicious devices.
-----------------------------------------------------------------------------------------------------------
What Information Can You Extract?
When auditing USB devices, the following information is critical:
Device Type: Identifies whether it's a storage device, keyboard, webcam, etc.
Vendor ID (VID): Represents the manufacturer of the device.
Product ID (PID): Identifies the specific product.
Device iSerialNumber: A unique identifier for tracking devices across different registry keys and logs.
ParentIdPrefix (for UASP devices): Helps associate devices with their storage controllers.
Under each iSerialNumber sub-key, you’ll find key attributes like:
DeviceDesc – Provides a user-friendly description of the device.
Service – Indicates the type of service associated with the device.
These values can be cross-referenced with databases like the USB IDs Repository or DeviceHunt to determine the manufacturer and device type.
As u can see this screenshot Service is UBSTOR(There are multiple services avaible which help you determined what type of device connected)
Understanding Service Types
Common Service types are:******* Important to understand type of device******
USBSTOR (MSC USBSTOR)
UASPSTOR (MSC UASP SCSI)
HidUSB (HID input device)
WUDFWpdMtp (MTP device like smartphone)
usbvideo (Video device like webcam)
usbaudio (Microphone)
USBHUB3 (USB hub)
BTHUSB (Bluetooth)
vmusb (Vmware USB device pass-through)
usbccgp (Composite USB device - a peripheral that has combined functionality from one or more device class. A keyboard with combined mouse input is one example)
-----------------------------------------------------------------------------------------------------------
**********************************
With the arrival of USB 3.0, a new and improved transfer protocol called USB Attached SCSI Protocol (UASP) was introduced. UASP allowing for much faster and multi-threaded data transfers. It was primarily designed to handle high-speed solid-state drives (SSDs) and to maximize the faster data rates of USB 3.0. UASP works with USB 3.x SuperSpeed, Thunderbolt, and even USB4.
Kindly Note:
Modern systems using UASP don’t store their information there! Instead, UASP devices are logged under a different registry key called SCSI. This means that if you only look at USBSTOR, you could be missing some crucial evidence.
**********************************
-----------------------------------------------------------------------------------------------------------
Real-World Example
Let’s say you find a device with:
VID: 1058
PID: 25A2
Service: USBSTOR (Indicating it’s a mass storage device)
Looking up these values online,(https://devicehunt.com/), (http://www.linux-usb.org/usb.ids) you can even find images of the exact device model. This level of detail can be invaluable in investigations.
Yeah its true my Hardrive is belong to this vendor name
-----------------------------------------------------------------------------------------------------------
Making this easy for you!
Manually going through each registry key can be time-consuming, especially on systems with numerous USB connections. Tools like Registry Explorer come with plugins that can extract and present USB audit data in a structured format.
Best Practices:
Sort by Device Name to quickly find the devices of interest.
Sort by Timestamp (last write time of VID/PID key) to track activity within a specific investigation window.
Be cautious: Registry timestamps may not always reflect the last usage time accurately. Cross-check with Event Logs for more precise data.
-----------------------------------------------------------------------------------------------------------
USBSTOR Registry Key
For mass storage devices (MSC USBSTOR), additional details are available under
SYSTEM\<CurrentControlSet>\Enum\USBSTOR. This key contains subkeys named after the Device ID, with one or more subkeys representing iSerialNumbers.
By matching an iSerialNumber from USB to USBSTOR, we can extract further details such as:
Device ID (Stored in the USBSTOR sub-key name)
FriendlyName (Human-readable name of the device)
First Time Device Connected
Last Time Device Connected
Last Removal Time
Additionally, each USBSTOR entry contains a DiskId value located at:
The DiskId correlates with Microsoft-Windows-Partition/Diagnostic.evtx, which provides further metadata and timestamps.
Conclusion
Whether investigating unauthorized access, tracking lost data, or analyzing security threats, this method provides a solid foundation for USB audits.
Stay tuned for the next article, where we will analyze USB time tracking in greater detail!
----------------------------------------------Dean--------------------------------------------------
टिप्पणियां