Hi there basically im in the first year of a Forensic Computing degree and we have just scratched the surface on finding out when a USB device has been installed on a computer, when it was used again etc..
My question to you all if you would be so kind is that as a forensic investigator what information are you exactly after as im looking for answers in the registry files I figured it would be better to first find the question, looking at USBDeview it seems that they find; Device name, Description, Type, Drive letter, Serial Number, Created Date, Last plug/unplug date, Vendor/Product ID, USB class/protocol/subclass and Hub/Port. Am I missing anything that I should be looking for?
Thanks in advance.
Here there are a couple of papers
http//
http//
Description List of Installed USB devices, both connected and unconnected
Location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
Why you care It can be useful to know what USB devices have be connected to a box, and even the vendor and serial number of the device in some cases. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. Think how useful it can be to help tie something a user physical possesses to a box.Description List of installed USB storage devices
Location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
Why you care Much like the installed USB devices entry, but just for USB storage. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. CleanAfterMe scrubs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but not USBSTOR when I tested last.
thankyou for the information helped clear some things up and the pinpointlabs was very handy to get a clear picture of some of the steps. thankyou )
Here is an article I wrote up that steps you through USB Device Analysis.
It is found here http//
Best,
Rob