Plug & Play Event Log
System Event Log (System.evtx)
System.evtx)Event IDs for Driver Install Attempts
20001, 20003: These events indicate that a Plug and Play driver installation was attempted for a device. These IDs can be particularly useful for tracing the initial recognition and setup of USB devices when first connected to the Windows system.
Security Event Log (Security.evtx)
Security.evtx)Event IDs for Access Attempts
4663: Signifies an attempt to access a removable storage object. This event is crucial for identifying successful access to USB devices.
4656: Indicates a failure to access a removable storage object, providing insight into denied accesses or potential malicious activities aimed at unauthorized device usage.
6416: Marks the recognition of a new external device by the system. This event helps in identifying when a USB device was first connected.
It's important to note that the presence of these events in the Security log depends on the system's audit settings. Proper configuration is required to ensure these events are logged, offering valuable information for forensic analysis.
Diagnostic Event Log (Microsoft-Windows-Partition/Diagnostic.evtx)
Microsoft-Windows-Partition/Diagnostic.evtx)Event ID for Device Connect/Disconnect
1006: Recorded for each device connection and disconnection, offering precise timestamps for when USB devices were used. This log can be pivotal in reconstructing event timelines and understanding device usage patterns.
Analysis Approach
Identify Relevant Events: Begin by locating the event IDs outlined above within the respective event logs. This step involves parsing through
System.evtx,Security.evtx, andMicrosoft-Windows-Partition/Diagnostic.evtxfiles to find entries corresponding to USB device activities.Correlate Device Activities: Use the identified events to build a timeline of when USB devices were connected, accessed, and disconnected. This timeline can then be correlated with other system activities to provide context around potential security incidents or unauthorized data access.
Review Event Details: For each relevant event, examine the detailed information provided, such as device identifiers, timestamps, and the nature of the access attempt (successful or failed). This information can be crucial in linking USB device activity to specific user actions or system changes.
Consider System Configuration: Recognize that the availability and depth of logged information may vary based on system configuration and audit policies. Ensuring comprehensive logging is enabled can greatly enhance the value of these logs in forensic investigations.
Tools for Analysis
Event Viewer: Windows Event Viewer provides a GUI for accessing and filtering event logs, allowing for the manual review of entries related to USB device activity.
Log Parsing Tools: Tools such as LogParser or PowerShell scripts can automate the extraction and analysis of specific event IDs from large log files, streamlining the forensic process.
Practical Use Case
In an investigation of unauthorized data exfiltration, analyzing these event logs can help identify when a suspicious USB device was connected, if and when it was successfully accessed, and when it was removed. By linking these events with user login records and file access logs, forensic analysts can piece together a comprehensive picture of the incident, potentially identifying the responsible parties and the scope of the data accessed or removed.
In summary, the detailed examination of Plug and Play event logs plays a vital role in USB forensic analysis, providing key insights into device interactions, user activities, and system responses to external devices.
Last updated
Was this helpful?