USB Forensics: Find the History of Every Connected USB Device on Your Computer
Written by: Faisel Shuib

USB Forensics: Find the History of Every Connected USB Device on Your Computer

Faisel Z. Faisel Z.

Faisel Z.

CYBER SECURITY PROFESSIONAL | CERTIFIED BY MICROSOFT, AMAZON, GOOGLE AND IBM.

发布日期: 2018年7月24日
+ 关注

Its been a while since i written an article and I thought I'd write this article its short and sweet and I hope I am able to share some of my knowledge about digital forensics with you all.

Sometimes, we need to know what USB devices were connected to our computer in our absence. This information could be very useful for a forensic examiner or in general cases where we just want to know what USB devices were used.

How This Works 

We all know about the registry on Windows. The registry is a database in Windows that stores settings of the operating system, hardware devices, software programs, and user preference settings.

Whenever we insert a USB drive into a computer, a registry key with the name “USBSTOR” is created. This registry key stores information about that USB device, and whatever information the OS needs to know can be found in this registry key. 

Finding the USB Attachment History

To find the USB history of your device, take the following steps:

STEP 1: Go to Run and type “regedit”. 

STEP 2: In the registry, go to  HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR, and there, you will find a registry key with the name “USBSTOR.” 

STEP 3: When you will click on the USBSTOR key, you can get a list of all the USB devices that have been connected to this computer. 

 We can see that there are lot of USB devices that have been connected to this machine, but this does not tell what kinds of device they are. To find out, follow the next step.

STEP 4: Click on any one device from the list and click on the subkey on the right side. You will find an entry with the name “friendlyname.” Just in front of this entry, you can easily see what type of USB device this is.

Getting USB History With Single Powershell Command

 You can also get all this information by just using a single command. To do this, open powershell and type “Get-ItemProperty -Path HKLM:SYSTEMCurrentControlSetEnumUSBSTOR** | Select FriendlyName.” Then press enter, and you will get the history of all USB devices that have been used on your computer.

So this was just basic information about USB forensics to get the USB connection history on your Windows machine. In my next article, I will dig deeper into USB forensics to extract a lot of information.

Thank you for reading! If you enjoyed the article please share!

要查看或添加评论,请登录

Faisel Z.的更多文章

社区洞察

其他会员也浏览了