Forums
Main Category
General (Technical,...
usb history -> e...
 
Notifications
Clear all

usb history -> excel sheet

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Cults14 12 years ago
3 Posts
3 Users
0 Reactions
1,195 Views
RSS
 CF_Sweden
(@cf_sweden)
New Member
Joined: 13 years ago
Posts: 2
Topic starter 25/05/2014 4:15 pm   [#11809]

Hello,

i've been looking for A tool that can gather a history OF when a cerain USB device wad connected To a Windows system. All the tools i tried so far only gathers the first time and the most recent time that the device wad connected. If i understand things right, windows (windows 7) keeps records for each time when a device was plugged in. I'm expecting to produce a excel file containing all the times that a certain device was connected.

hope I explained things clearly. Thanks in advance!

/Daniel



   
Quote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 19 years ago
Posts: 5133
25/05/2014 5:46 pm  

Hello,

i've been looking for A tool that can gather a history OF when a cerain USB device wad connected To a Windows system. All the tools i tried so far only gathers the first time and the most recent time that the device wad connected. If i understand things right, windows (windows 7) keeps records for each time when a device was plugged in. I'm expecting to produce a excel file containing all the times that a certain device was connected.

hope I explained things clearly. Thanks in advance!

/Daniel

And WHICH tools did you try?

The "usual" ones are
http//sourceforge.net/projects/usbhistory/
http//www.softpedia.com/get/Windows-Widgets/System-Utilities/USB-History-GUI.shtml
http//www.nirsoft.net/utils/usb_devices_view.html
http//www.intelliadmin.com/?p=4030
https://www.tzworks.net/prototype_page.php?proto_id=13

See also
http//www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Extracting-USB-Artifacts-from-Windows-7.html

Maybe what you are looking for is a "simple" parser for Setupapi.dev.log, like this Encase script?
http//www.forensickb.com/2013/03/enscript-to-parse-setupapidevlog.html
Or a tool like
http//www.dmares.com/maresware/html/setupapi_format.htm
Or use Mandiant Highlighter?
https://www.mandiant.com/resources/download/highlighter

jaclaz



   
ReplyQuote
 Cults14
(@cults14)
Reputable Member
Joined: 18 years ago
Posts: 367
29/05/2014 8:47 pm  

Specifically what types of devices? And what version of Windows?

If it's non-HDDs in Win7 you might find the "Microsoft-Windows-DriverFrameworks-UserMode%4Operational" evtx file in \Windows\System32\winevt\Logs useful

Unlikely to provide a full history on a well-used system as logs are likely to get over-written assuming they're enabled; think the default is 1,028KB before over-writing. For example on my laptop the log only back to 1st May. On a system I've just examined the log goes from 19th Feb to 7th March (all 2014)

Depends what you're trying to prove, but along with JumpLists and LNKs (and more?) may help to identify and corroborate file access at a point in time on a specific device

Right-clicking on the log and selecting "Save all events as……." allows you to output to CSV and from it's a short hop to Excel and the wonderful world of filtering if you know the device details.

We're a Win7 shop so can't tell you about Win8, and there's no equivalent AFAIK in XP

HTH



   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: