Connection Timestamps

Connection timestamps can provide insights into when a device was first installed, last connected, and last removed. This information is vital in constructing timelines, identifying unauthorized access, or investigating data exfiltration incidents.

Key Identification

Artifact Locations

• Windows XP: C:\Windows\setupapi.log

• Windows 7 and Newer:

  • Log File: C:\Windows\inf\setupapi.dev.log

  • Registry for USBSTOR: SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_&Prod_\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\####

  • Registry for SCSI: SYSTEM\CurrentControlSet\Enum\SCSI\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\####

  • Event Logs: %SYSTEMROOT%\System32\winevt\logs\Microsoft-Windows-Partition\Diagnostic.evtx

Critical Information

• Log File Times: Recorded in the local time zone.

• Registry Timestamp Keys:

  • 0064: First Install Date (Windows 7+)

  • 0066: Last Connected Date (Windows 8+)

  • 0067: Last Removal Date (Windows 8+)

• Timestamp Format: Stored in Windows 64-bit FILETIME format.

• Event ID 1006: Recorded in the Diagnostic event log for device connections/disconnections.

• Log Clearance: The log may be cleared during major OS updates.

Overview

Connection Timestamps in Logs and Registry

For forensic analysts, connection timestamps are invaluable for piecing together the sequence of events involving USB devices. These timestamps can be found in log files, such as setupapi.log or setupapi.dev.log, and within the Windows Registry under specific GUIDs for USBSTOR and SCSI devices. Additionally, Windows event logs, particularly the Diagnostic event log, contain entries for device connections and disconnections, offering another layer of temporal data.

Analyzing The Artifact

1. Windows XP:

   • Examine C:\Windows\setupapi.log for entries related to USB device installations and removals. Search for the device's serial number to filter relevant entries.

2. Windows 7+:

   • For connection logs, consult C:\Windows\inf\setupapi.dev.log, searching for the device's serial number.

   • In the Registry, navigate to the specified USBSTOR and SCSI paths. Look for the Properties subkey corresponding to the GUID {83da6326-97a6-4088-9453-a19231573b29} and examine the values for 0064, 0066, and 0067 to determine installation, last connection, and removal times.

   • Review the Diagnostic event log for Event ID 1006 entries to identify device connect/disconnect events.

Tools for Analysis

• Log Parsers: Tools like Microsoft's LogParser can help sift through setupapi.dev.log files to find entries related to specific USB devices.

• Registry Editors: Directly navigate the Windows Registry using regedit or use third-party tools for easier extraction of the specified values.

• Event Log Viewers: Windows Event Viewer or third-party tools like Event Log Explorer can facilitate the examination of Diagnostic event logs for relevant device connection entries.

Practical Use Case

In an incident where sensitive data is suspected to have been exfiltrated via a USB device, analysts can use connection timestamps to narrow down when the device was active on the system. By correlating these timestamps with file access logs, audit trails, and user activity logs, it's possible to establish a timeline of events leading up to and following the suspected data exfiltration, aiding in the identification of responsible parties and the reconstruction of their actions.

Connection timestamps offer a precise and invaluable resource for forensic investigations, enabling analysts to trace the usage of USB devices and understand their impact on the system under examination.