INF Setup
Overview
Section titled “Overview”Evidence: INF Setup
Description: Collect INF Setup Log Files
Category: System
Platform: windows
Short Name: infl
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Windows maintains setupapi log files that record detailed information about device driver installations, including PnP device installations, driver package installations, and device configuration changes.
These logs can provide evidence of hardware changes, driver installations, and USB device connections that may not be captured elsewhere.
Data Collected
Section titled “Data Collected”This collector gathers structured data about inf setup.
INF Setup Data
Section titled “INF Setup Data”| Field | Description | Example |
|---|---|---|
Name | Artifact name | INF Setup Logs |
Type | File | File |
SourcePath | Original file path | C:\Windows\INF\setupapi.dev.log |
Path | Relative path in evidence | Other/setupapi.dev.log |
Collection Method
Section titled “Collection Method”This collector collects INF setup log files from:
Windows\INF\setupapi*.logWindows\setupapi*.log(legacy location)
Forensic Value
Section titled “Forensic Value”INF setup logs provide detailed device installation history. Investigators use this data to track USB device installations, identify driver installation timelines, detect hardware changes, investigate PnP device activity, and correlate with USB history artifacts.