USB Storage History
Overview
Section titled “Overview”Evidence: USB Storage History
Description: Collect USB Storage History
Category: DiskFilesystem
Platform: windows
Short Name: usbmsc
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Windows tracks all USB mass storage devices that connect to the system in the registry. This includes USB flash drives, external hard drives, and MTP devices. The registry maintains connection timestamps, device identifiers, and device descriptions.
This information persists even after the device is removed, providing historical evidence of USB device usage that can indicate data exfiltration or unauthorized device connections.
Data Collected
Section titled “Data Collected”This collector gathers structured data about usb storage history.
USB Storage History Data
Section titled “USB Storage History Data”| Field | Description | Example |
|---|---|---|
FriendlyName | Device friendly name | SanDisk Ultra USB Device |
DeviceDesc | Device description | USB Mass Storage Device |
Serial | Device serial number | 123456789ABCDEF |
VendorID | USB vendor ID | 0781 |
ProductID | USB product ID | 5581 |
Install | Installation timestamp | 2023-10-01T14:00:00 |
FirstInstall | First installation timestamp | 2023-09-15T10:00:00 |
LastArrival | Last connection timestamp | 2023-10-15T09:00:00 |
LastRemoval | Last disconnection timestamp | 2023-10-15T17:00:00 |
RegistryTime1 | First registry modification time | 2023-09-15T10:00:00 |
RegistryTime2 | Second registry modification time | 2023-10-15T17:00:00 |
Collection Method
Section titled “Collection Method”This collector parses the offline SYSTEM registry hive to extract USB device information from:
ControlSet*\Enum\USB\*\*- USB device entriesControlSet*\Enum\USBSTOR\*\*- USB storage device entriesControlSet*\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}- Device class timestamps
The collector correlates information across multiple registry keys to build complete device profiles with accurate timestamps.
Forensic Value
Section titled “Forensic Value”USB device history is critical for data exfiltration investigations and insider threat detection. Investigators use this data to identify unauthorized USB devices, establish device connection timelines, detect data theft via USB drives, track specific devices across multiple systems, correlate device usage with user activity, and identify devices used for malware delivery.