Question on USB drive
I am trying to track the first time a USB Drive driver was installed on a Windows 7 computer. I located the Container ID and Class GUID for the USB drive, but there was no serial number linked to it in the Enum/USBSTOR registry file. I also located the hardware ID in the Enum/USB registry file. I then tried to locate the driver installation in setupAPI.DEV.log. in the Root/Windows/INF folder to view it but it was not there. The only setupapi files that were in the folder were setupapi.ev1, setupapi.ev2, setupapi.ev3 and setupAPI.offline.log.
Is it still possible to track driver installation without the serial number?
Does this mean that there is not a setupAPI.Dev.log file?
Also is there another way to locate the time and date of the USB driver installation?
Did you check the DriverFramework-UserMode/Operational.evtx Windows Event Log file?
Did you create a timeline using just the contents of the above .evtx file, the Software, System, and NTUSER.DAT hives?
That poster is really great, Thanks Deltron!