Analyzing USB Device Connection History

Analyzing USB Device Connection History

What Is This

The "Analyzing USB Device Connection History" skill is a focused digital forensics capability that enables analysts to reconstruct the history of USB device usage on Windows systems. This skill involves systematically extracting and interpreting data from several system sources, primarily the Windows registry, event logs, and setupapi logs. By leveraging these artifacts, investigators can determine when, where, and which USB devices were connected, potentially tracking removable media usage related to data exfiltration or policy violations.

This skill is critical in digital forensics and incident response workflows, particularly when there is suspicion of unauthorized data transfer via removable storage, or when compliance requires auditing device usage.

Why Use It

USB devices are a common vector for both intentional and inadvertent data movement. They can be used to exfiltrate sensitive information, introduce malware, or bypass network controls. Organizations must be able to detect, track, and report the use of removable media for the following reasons:

• Incident Response: Swiftly identify if a USB device was used in a security incident, such as data theft or malware introduction.
• Forensic Investigation: Establish a timeline of device connections to determine user activity and potential data movement.
• Policy Enforcement: Verify adherence to removable media policies for compliance and audit requirements.
• Threat Hunting: Correlate USB device usage with other system or network events to uncover insider threats or unauthorized activities.

This skill provides a structured methodology for extracting and analyzing USB connection artifacts, helping investigators answer critical questions about device usage on Windows endpoints.

How to Use It

The workflow for analyzing USB device connection history is as follows:

Step 1:

Extract USB-Related Artifacts

Begin by acquiring the necessary artifacts from the target system. This typically involves mounting a forensic disk image and copying system files relevant to USB history.

## Example:

Mount a forensic image and extract registry hives and setupapi logs
mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence

mkdir -p /cases/case-2024-001/artifacts
cp /mnt/evidence/Windows/System32/config/SYSTEM /cases/case-2024-001/artifacts/
cp /mnt/evidence/Windows/System32/config/SOFTWARE /cases/case-2024-001/artifacts/
cp /mnt/evidence/Users/<username>/NTUSER.DAT /cases/case-2024-001/artifacts/
cp /mnt/evidence/Windows/inf/setupapi.dev.log /cases/case-2024-001/artifacts/
cp /mnt/evidence/Windows/System32/winevt/Logs/* /cases/case-2024-001/artifacts/

Step 2:

Analyze the Windows Registry

The registry contains detailed information about connected USB devices. Tools like RegRipper, USBDeview, or USB Forensic Tracker can automate extraction and reporting.

• SYSTEM hive: Provides information on device installation and the USBSTOR key reveals device identifiers (VID, PID, serial).
• SOFTWARE hive: May contain additional device class information.
• NTUSER.DAT: Shows user-specific device access.

Example extraction with RegRipper:

rip.pl -r /cases/case-2024-001/artifacts/SYSTEM -p usbstore

Step 3:

Parse SetupAPI Logs

The setupapi.dev.log file records plug-and-play device installation events with timestamps, device IDs, and user context. This log is invaluable for building a timeline.

Example (searching for USB storage installs):

grep -i 'USBSTOR' /cases/case-2024-001/artifacts/setupapi.dev.log

Step 4:

Review Windows Event Logs

Relevant Windows event logs include:

• System Log: Device connect/disconnect events (Event ID 2003, 2100, 2102, etc.).
• Security Log: Audits of object access if configured (Event ID 4663).
• DriverFrameworks-UserMode Log: Provides additional device lifecycle events.

Extract and parse these logs with tools such as evtx_dump.py or Event Log Explorer.

Example (exporting event logs for offline analysis):

evtx_dump.py /cases/case-2024-001/artifacts/System.evtx > system_events.txt

Step 5:

Correlate and Report

Cross-reference device identifiers (VID, PID, serial) across all sources. Build a timeline of device connections, noting user accounts, connection times, and device details. This can be done manually or with specialized forensic tools.

When to Use It

This skill should be applied in the following scenarios:

• Data Exfiltration Investigations: When there is suspicion that files may have been illicitly transferred via USB devices.
• Insider Threat Monitoring: To determine if a user has connected unauthorized devices to a sensitive workstation.
• Compliance Audits: To verify enforcement of removable media policies and identify policy violations.
• Incident Timeline Reconstruction: To correlate USB device usage with file access, modification, or deletion events during a breach investigation.
• Legal Discovery: When demonstrating chain-of-custody or the presence/absence of specific devices in legal or regulatory proceedings.

Important Notes

• Data Integrity: Always work from forensic images or copies of system artifacts to preserve original evidence.
• Tool Validation: Use well-known, up-to-date forensic tools. Validate findings with multiple sources where possible.
• Time Synchronization: Be mindful of time zone settings and clock skew when building timelines.
• Limitations: Some artifacts can be deleted or overwritten by system cleaning utilities or advanced adversaries. Not all device connections may be recoverable, especially after significant time or system reinstallation.
• Legal Considerations: Ensure you have proper authorization before acquiring and analyzing evidence, especially in live environments.

By following this workflow, analysts can reliably reconstruct USB usage history, support investigations, and strengthen organizational controls against data loss via removable media.