🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Key Insights
  • Overview
  • Analyzing The Artifact
  • Tools for Analysis
  • Practical Use Case

Was this helpful?

  1. Windows Artifacts
  2. USB Usage

Key Identification

Key Insights

Artifact Locations

  • USBSTOR: SYSTEM\CurrentControlSet\Enum\USBSTOR

  • USB: SYSTEM\CurrentControlSet\Enum\USB

  • SCSI: SYSTEM\CurrentControlSet\Enum\SCSI

  • HID: SYSTEM\CurrentControlSet\Enum\HID

  • Device Migration for Older Data: SYSTEM\Setup\Upgrade\PnP\CurrentControlSet\Control\DeviceMigration

Critical Information

  • These Registry keys can help identify the vendor, product, and version of USB devices.

  • The keys record the first and last connection times of a device.

  • Devices lacking a unique internal serial number feature an "&" as the second character of the serial number.

  • The displayed internal serial number might not match the physical serial number on the device.

  • The ParentIdPrefix value under USB keys is crucial for linking a USB device entry to its corresponding SCSI entry.

  • SCSI<ParentIdPrefix>\Device Parameters\Partmgr\DiskId correlates with Partition/Diagnostic logs and the Windows Portable Devices key for comprehensive device tracking.

  • Data retention varies by Windows version, with Windows 10/11 retaining up to one year of data.

Overview

These Registry keys provide a wealth of information about each USB device that has been connected to the system:

  • USBSTOR and USB keys are directly related to the identification of USB storage devices, including details such as device type, manufacturer, and model.

  • SCSI keys often relate to storage devices that use SCSI command sets, which can include USB storage devices presented to the system using SCSI standards.

  • HID (Human Interface Device) keys track peripherals such as keyboards, mice, and other devices that interact with the user interface.

Each key houses subkeys and values detailing the specifics of connected devices, including hardware IDs, vendor information, and connection timestamps. These details are pivotal in constructing a timeline of device usage, identifying suspicious activity, and corroborating other forensic findings.

Analyzing The Artifact

  1. Identifying Connected USB Devices: Navigate to SYSTEM\CurrentControlSet\Enum\USBSTOR and SYSTEM\CurrentControlSet\Enum\USB to find entries for every USB device. Look for DeviceDesc values to identify device types and manufacturers.

  2. Determining Connection Times: Examine the Properties subkey under each device entry for timestamp values. These can include installation and last removal times, which are essential for timeline analysis.

  3. Serial Number Analysis: Serial numbers are located within the device's subkey name or under the Properties subkey. Analyze the format for unique identification or signs of generic serial numbers (e.g., those with an "&" symbol).

  4. Linking USB to SCSI Entries: Use the ParentIdPrefix value found in USB device entries to link to corresponding SCSI device entries. This linkage is vital for understanding device interactions with the system at a lower level.

  5. Reviewing HID Devices: For peripherals, explore the SYSTEM\CurrentControlSet\Enum\HID key. This can reveal information about non-storage USB devices connected to the system.

  6. Historical Data Analysis: For systems upgraded from older versions of Windows, check SYSTEM\Setup\Upgrade\PnP\CurrentControlSet\Control\DeviceMigration for legacy device connection data.

Tools for Analysis

  • RegRipper: Automates the extraction of forensic information from the Registry, including USB device connection histories.

  • USBDeview: A utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.

  • Windows Registry Editor: Manual examination of the Registry can be conducted using the built-in Registry Editor (regedit), though this requires careful navigation and understanding of Registry structures.

Practical Use Case

In a scenario where an organization suspects data exfiltration via USB devices, forensic analysts can use the outlined Registry keys to identify all USB storage devices connected to a suspect machine. By analyzing connection times, device identifiers, and serial numbers, analysts can correlate device usage with other forensic artifacts (e.g., file access logs, shadow copies) to identify suspicious data transfers or unauthorized access.

USB device tracking through Windows Registry analysis offers a powerful method for understanding device interactions with a system, providing critical insights in forensic investigations and incident response activities.

PreviousUSB UsageNextDrive Letter and Volume Name

Last updated 1 year ago

Was this helpful?