analyzing-usb-device-connection-history

# Analyzing USB Device Connection History

## When to Use
- When investigating potential data exfiltration via removable storage devices
- During insider threat investigations to track USB device usage
- For compliance audits verifying removable media policy enforcement
- When correlating USB connections with file access and copy events
- For establishing a timeline of device connections during an incident

## Prerequisites
- Forensic image or extracted registry hives and event logs
- Access to SYSTEM, SOFTWARE, and NTUSER.DAT registry hives
- SetupAPI logs (setupapi.dev.log)
- Windows Event Logs (System, Security, DriverFrameworks-UserMode)
- USBDeview, USB Forensic Tracker, or RegRipper
- Understanding of USB device identification (VID, PID, serial number)

## Workflow

### Step 1: Extract USB-Related Artifacts

```bash
# Mount forensic image and copy relevant artifacts
mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence

mkdir -p /cases/case-2024-001/usb/

# Registry hives
cp /mnt/evidence/Windows/System32/config/SYSTEM /cases/case-2024-001/usb/
cp /mnt/evidence/Windows/System32/config/SOFTWARE /cases/case-2024-001/usb/
cp /mnt/evidence/Users/*/NTUSER.DAT /cases/case-2024-001/usb/

# SetupAPI logs (first connection timestamps)
cp /mnt/evidence/Windows/INF/setupapi.dev.log /cases/case-2024-001/usb/

# Event logs
cp /mnt/evidence/Windows/System32/winevt/Logs/System.evtx /cases/case-2024-001/usb/
cp "/mnt/evidence/Windows/System32/winevt/Logs/Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx" \
   /cases/case-2024-001/usb/ 2>/dev/null
cp "/mnt/evidence/Windows/System32/winevt/Logs/Microsoft-Windows-Partition%4Diagnostic.evtx" \
   /cases/case-2024-001/usb/ 2>/dev/null
```

### Step 2: Parse USBSTOR Registry Key

```bash
# Extract USBSTOR entries from SYSTEM hive
python3 << 'PYEOF'
from Registry import Registry
import json

reg = Registry.Registry("/cases/case-2024-001/usb/SYSTEM")

# Find current ControlSet
select = reg.open("Select")
current = select.value("Current").value()
controlset = f"ControlSet{current:03d}"

# Parse USBSTOR
usbstor_path = f"{controlset}\\Enum\\USBSTOR"
usbstor = reg.open(usbstor_path)

devices = []
print("=== USBSTOR DEVICES ===\n")

for device_class in usbstor.subkeys():
    # Format: Disk&Ven_VENDOR&Prod_PRODUCT&Rev_REVISION
    class_name = device_class.name()
    parts = class_name.split('&')
    vendor = parts[1].replace('Ven_', '') if len(parts) > 1 else 'Unknown'
    product = parts[2].replace('Prod_', '') if len(parts) > 2 else 'Unknown'
    revision = parts[3].replace('Rev_', '') if len(parts) > 3 else 'Unknown'

    for instance in device_class.subkeys():
        serial = instance.name()
        last_write = instance.timestamp()

        device_info = {
            'vendor': vendor,
            'product': product,
            'revision': revision,
            'serial': serial,
            'last_connected': str(last_write),
        }

        # Get friendly name if available
        try:
            friendly = instance.value("FriendlyName").value()
            device_info['friendly_name'] = friendly
        except:
            pass

        # Get device parameters
        try:
            params = instance.subkey("Device Parameters")
            try:
                device_info['class_guid'] = params.value("ClassGUID").value()
            except:
                pass
        except:
            pass

        devices.append(device_info)
        print(f"Device: {vendor} {product}")
        print(f"  Serial: {serial}")
        print(f"  Last Connected: {last_write}")
        print(f"  Friendly Name: {device_info.get('friendly_name', 'N/A')}")
        print()

# Save results
with open('/cases/case-2024-001/analysis/usb_devices.json', 'w') as f:
    json.dump(devices, f, indent=2)

print(f"\nTotal USB storage devices found: {len(devices)}")
PYEOF
```

### Step 3: Extract Drive Letter Assignments and User Associations

```bash
# Parse MountedDevices from SYSTEM hive
python3 << 'PYEOF'
from Registry import Registry
import struct

reg = Registry.Registry("/cases/case-2024-001/usb/SYSTEM")

mounted = reg.open("MountedDevices")

print("=== MOUNTED DEVICES (Drive Letter Assignments) ===\n")
for value in mounted.values():
    name = value.name()
    data = value.value()

    if name.startswith("\\DosDevices\\"):
        drive_letter = name.replace("\\DosDevices\\", "")
        if len(data) > 24:
            # USB device - contains device path string
            try:
                device_path = data.decode('utf-16-le').strip('\x00')
                if 'USBSTOR' in device_path or 'USB#' in device_path:
                    print(f"  {drive_letter} -> {device_path}")
            except:
                pass
        else:
            # Fixed disk - contains disk signature + offset
            disk_sig = struct.unpack('<I', data[0:4])[0]
            offset = struct.unpack('<Q', data[4:12])[0]
            print(f"  {drive_letter} -> Disk Signature: 0x{disk_sig:08X}, Offset: {offset}")
PYEOF

# Parse user MountPoints2 (which user accessed which devices)
python3 << 'PYEOF'
from Registry import Registry
import os, glob

print("\n=== USER MOUNT POINTS (MountPoints2) ===\n")

for ntuser in glob.glob("/cases/case-2024-001/usb/NTUSER*.DAT"):
    try:
        reg = Registry.Registry(ntuser)
        mp2 = reg.open("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2")

        print(f"User hive: {os.path.basename(ntuser)}")
        for key in mp2.subkeys():
            guid = key.name()
            last_write = key.timestamp()
            if '{' in guid:
                print(f"  Volume: {guid} | Last accessed: {last_write}")
        print()
    except Exception as e:
        print(f"  Error parsing {ntuser}: {e}")
PYEOF
```

### Step 4: Extract First Connection Timestamps from SetupAPI

```bash
# Parse setupapi.dev.log for USB device first-install timestamps
python3 << 'PYEOF'
import re

print("=== SETUPAPI US