Hello,
Does anyone know how to detect the removal/addition of a USB device on Windows XP/2000/2003? For Linux this information is logged. MacOS does the same. Does Windows?
The issue at hand is has a USB device found ever been attached to a machine?
Thank you,
Edward
I think the information you are looking for is added to the setupapi.log as the USB drive is first installed to the machine.
Hello,
If the device was setup 6 years ago how can I tell when they last USED the device? Since most of this is time sensitive, I would like to know when the device was plugged in and removed. Where is setupapi.log. I have a host of USB devices on my system and a search displayed no results.
Thank you.
Edward
Hi Texiwill
I think the setupapi.log file only shows the record of the usb stick being installed, so you should be able to see if it has been used on the machine and when it was first used.
I would also be interested in if there are records of a USB drive being disconnected then reconnected stored some where on the machine.
If you want to view yours try looking in C\WINDOWS\setupapi.log its probably a hidden file so you will need to make sure your folder displays all files.
Hello,
I found setupapi.log…. It has no useful date information within it so for setting a timeline it is not very useful. But it does say the device was connected or a driver was installed for it. }
Not necessarily useful, easy to state the driver was installed but no device was connected.
-Edward Haletky
Are you working off an image or the actual machine?
If you can boot the image (LiveView) and run USBDview from Nirsoft (http//
Hello,
Does anyone know how to detect the removal/addition of a USB device on Windows XP/2000/2003? For Linux this information is logged. MacOS does the same. Does Windows?
The issue at hand is has a USB device found ever been attached to a machine?
Thank you,
Edward
The answer is yes, and the information would bestored in the registery. That information could include the make and model of the usb drive and perhaps some sorta ID number.
Skip
Hello,
Thank you for the pointer for USBDview. But what about off an image where you can not boot it.
SOmeone mentioned the registry, however where would I find it in the registry if I do not know the device. THat was the first place I looked.
Thankyou,
Edward
Hello,
I just tried USBDeview and it definitely did not show the last time my palm was connected/disconnected from the system. ( It is definitely a useful tool to keep in the toolbox.
Any other ideas? If I do not know the device and want to know say if a usbdrive was used and taken away, it could be invaluable as a way to tie a machine to possibly more evidence.
This information could also be useful for preventative to determine if something was potentially 'taken' from the system as well.
Best regards,
Edward
Check Harlan Carvey's blog. I am pretty sure he has Perl scripts which parse this info. He presented on this topic at GMU2006.