Digital Forensics: Artifact Profile – USB Devices
APPLICATION NAME: USB Devices
CATEGORY: Operating System
RELATED ARTIFACTS: None
OPERATING SYSTEMS: Windows
Windows Vista+ – ROOT/Windows/inf/setupapi.dev.log
Windows XP – ROOT/Windows/setupapi.log
Importance to Investigators
USB device history can be a great source of evidence when an examiner needs to determine if and why an external device was connected to a system. It can also help investigators understand how USB devices have been used on a given system, and possibly explain how a suspect might have used a USB device in the commission of a crime or incident.
USB device analysis can vary depending on the operating system (ex. Windows XP vs. 7) and the type of USB device connected (ex. USB Mass Storage Device, Removable Storage, or MTP device). The type of device will dictate which drivers have been installed on the system and how Windows handles the device. Most commonly, examiners will find valuable evidence in USB Mass Storage devices, but should still be familiar with other device types and how they are handled. Typically, for USB Mass Storage Devices, examiners need to collect details from multiple locations in order to analyze USB activity on a Windows PC.
USBSTOR contains details on the vendor and brand of the USB device connected, along with the serial number of the device (which can be used to match the mounted drive letter, user, and the first and last connected times of the device).
The MountedDevices key allows investigators to match the device serial number to the given drive letter or volume that was mounted when the USB device was inserted. If several USB devices have been added, examiners may not be able to identify the drive letter since the mapped drive letter will only display the serial number for the most recently mounted device.
The MountPoints2 key will reveal which user was logged in and active when the USB device was connected. MountPoints2 lists all of the device GUIDs that a particular user connected, so you may need to search through each NTUSER.dat hive on the system to identify which user connected a particular device.
The USB key from the SYSTEM hive provides examiners with vendor and product ID information for a given device, and also identifies the last time the USB device was connected to the system. Using the last write time on the key of the device serial number, examiners can identify the last time it was connected.
Additionally, examiners can identify when the device was first connected to the system (in local time) by searching for the serial number in the setupapi log. Unlike the other timestamps mentioned (which are stored in UTC), the setupapi log stores data in the system’s local time and therefore must be converted before performing a timeline analysis.
USB Device Recovery with Magnet Forensics
Magnet Forensics tools will recover USB history artifacts for Windows XP, Vista, 7, and 8. The amount of information recovered for a USB device will vary depending on the type of device. Here are some details about the USB device artifact columns found in Magnet Forensics tools:
Class: Identifies the type of USB device being connected. DiskDrive is the most common entry for USB Mass Storage Devices. If examiners sort or filter the “Class” column to show only DiskDrive, they can narrow the search results to display only USB Mass Storage Devices.
The Device Class ID, Serial Number, and Friendly Name are used to identify the connected USB device.
Associated User Account: Identifies any user accounts that connected the USB device.
Last Assigned Drive Letter: Identifies the drive letter that was last assigned to the device.
Last Connected: A timestamp pulled from the USB Registry key in the SYSTEM hive that indicates when the USB device was last seen on the system.
First Connected Date/Time: A timestamp pulled from the setupapi log, and stored in local time.
First Connected Since Reboot: This timestamp may match the “First Connected Date/Time” timestamp or it may have an updated time if the device was connected since the last system reboot.
First Install and Install: Timestamps added to Windows 7 that indicate the date when the device driver was first installed or updated. This does not necessarily represent when the USB device was first connected, since the driver could have been updated automatically by Windows or installed by a similar device.
VSN Hex: If the USB device was mounted as a storage device in Windows, “VSN Hex” will show the volume serial number that was created when the device was formatted. This value can be compared with volume serial numbers found in LNK files and other sources of evidence to correlate files that were potentially accessed from the USB device.
Last Insertion and Last Removal: These timestamps are available on Windows 8 computers only.