Hi, this is my first time posting on here. I have a general question about reading/decoding the USB insertion date that I found for a device.
How do I decode the Uinque Instance ID for a USB device to find out the date the device was installed?
How do I decode the Uinque Instance ID for a USB device to find out the date the device was installed?
You don't decode it. You may find it in clear text in the event log (depending on the OS in question). There should also be a timestamp associated with its original insertion in USBSTOR although there are events that can update this date stamp.
Beforehand however, you should acquire a good level of understanding. May I suggest Windows Forensic Analysis by Harlan Carvey as a starting point….? Or I recall Rob Lee from SANS has published some relevant information.
Thank you for the info Fab4, I appreciate it.
Also, review the contents of the often overlooked but sometimes quite telling "setupapi.log" file. There may be useful information regarding USB attached devices therein.
Cheers!
farmerdude
I also like and use quite often NirSoft's USBDeview
http//
While certainly take some deeper understanding as to how it parses and generates it's results and will not always give you results (i.e. verify with other tools as you would be doing with anything else ) ), it is a good way to get some results in a point and click manner in Windows.
