*Are we looking for USB storage media activity or all USB devices? Like, cameras 📸? Headphones 🎧? As for the timestamps, you’ll usually have first (setupapi log) and last connected. There are also OS specific timestamps, like first or last install, first connect since reboot etc. Windows USB artifacts, macOS. See Event Manager’s codes 20001 and 20002 for USB events for verification or if the registry was updated. Look at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\ and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\<hardware id>\<instance id>\Device Parameters. More.
Windows
Registry
⚠️ On Windows, USB timestamps in the registry will be updated when it gets updated with a Windows update. Use Event Manager logs in these cases.
🔑 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\
🔑 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\<hardware id>\<instance id>\Device Parameters.
🔑 SYSTEM\CurrentControlSet\Enum\USBSTOR
🔑 SYSTEM\CurrentControlSet\Enum\USB
🔑 System\ControlSet001\Enum\USBSTOR or ControleSet001\Enum\USB (on my Win10 VM)
🔑 System\MountedDevices - used to map devices to drive letters (not only USBs).
Key 🔑: Software\Microsoft\Windows Portable Devices\Devices. For USB and other devices connected. The sub-key name contains the device’s serial number, name, disk ID (between {}), which is assigned by OS. This disk id can be used to track the device accross the system, for example, other registry values. But keep in mind, that not every USB device has a serial number. Dates and times - when the device was first inserted after the last reboot. FriendlyName - user-created name of the volume.
Key 🔑: Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt. It was put as an extension of memory (aka ready boost). Checks to see if the USB device can be used to extend memory. Timestamps - when first inserted. Some entries are ending with some decimal number, this is a volume ID in decimal (convert to hex and get your GUID that can be used to correlated data with USBSTR in SYSTEM hive, see below). These should be converted to hex and used to trace the device accross the system.
Key 🔑: Software\Microsoft\Windows NT\CurrentVersion\Print\Printers for printers connected. This subkey may also contains some SIDs. I don’t quite understand yet, when this happens in general, but one case is when OneNote is used to share documets.
⚠️ Use information about USB devices from
SYSTEMhive to get more and validate this information.
Key 🔑: NTUSER\MountPoints2.
If you link volumes from system-wide 🔑 MountPoints and 🔑 USBSTR, we can link a device to a specific user. This 🔑 also shows all systems connected by the current user (useful for RDP investigations).
🗒️ TODO: How to link, screenshots.
Key 🔑: Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Photos_8wekyb3d8bbwe\PersistedStorageItemTable\ManagedByApp.
Tracks images opened with Microsoft application. Shows volume GUID (use other USB-related registry to assemble the picture), file path, data and time ⏰. LastUpdateTime shows when the files was … . This date and time is very close LastInteracted from ShellBags. Go to MountedDevices in SOFTWARE hive to find the device by the volume GUID and the to SYSTEM’s USBSTR -> PartitionTableCache.
This information is very useful for child abuse cases.
Key 🔑 : Local Settings\Software\Microsoft\Windows\Shell\BagMRU . Values: MRUListEx, NodeSlot, Subkeys.
Key 🔑 : Local Settings\Software\Microsoft\Windows\Shell\Bags. Values: Shell, will have folder’s GUID.
For more info refer to the Shellbags article.
Logs
Event Logs
Security 6416: A new external device was recognised by the system
Event ID 219 is logged when a device is plugged into a Windows-based system
ID 20001 - Plug and Play driver install attempted, 🐾 device information, 🐾 Device serial num, 🐾 Status (0 = no errors), 🐾 timestamp.
📂 %system root%\System32\winevt\logs\System.evtx
Plug’n’Play
When a Plug and Play driver install is attempted, the service will log an ID 20001 event and provide a Status within the event. It is important to note that this event will trigger for any Plug and Play-capable device, including but not limited to USB, Firewire, and PCMCIA devices.
By default, the SetupAPI text logs are located in the %SystemRoot%\Inf directory.
To enable event categories for the SetupAPI logs, create (or modify) the following REG_DWORD registry value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\LogMask. More here.
setup
📂 C:\Windows\setupapi.log XP
📂 Win7- 10 C:\Windows\inf\setupapi.dev.log
Search for Device Serial Number
❗️⏰ local time zone
macOS
iDevices
📂 Users/username/Library/Preferences/com.apple.iPod.plist
🛠️ Xcode, plutils.
🔑 Use Count - how many times it was attached using this account?
🔑 Connected - last connect in UTC = conn.128:Last Connect (in hex)
🔑 Firmware version string - iOS version
🔑 Product Type - hardware model, but it’s not the official name. Lookup the value here: https://www.theiphonewiki.com/wiki/Models.
📂 Users/username/Library/Application\ Support/MobileSync/Backup
USB
On a macOS - tracev3 log file contains this information. On macOS remember about 0x5ac Vendor ID! Check for the USB info using its GUIDs: https://the-sz.com/products/usbid/.
⚠️ Keep in mind that a lot of cheap USB drives might have the SAME serial number!!!
Also, FSEvents can give you a lot of information. Tools 🛠: FSEventsParser.
Lots of devices that are in fact built-in into the Mac, are considered as external connection by tracev3 log files. So, if you see the 0x5ac vendor id in the logs, it might be the keyboard or trackpad.
To read: https://medium.com/@kieczkowska/usb-forensics-101-444faf737c4c
usbmuxd.plist
Also gives the uid of the user and group responsible for USB mount.
plutil -p "./Volume 0/root/private/var/db/dslocal/nodes/Default/users/_usbmuxd.plist"
plutil -p "./Volume 0/root/private/var/db/dslocal/nodes/Default/groups/usbmuxd.plist"
``
The file structure:
{
"generateduid" => [
0 => "FFFFEEEE-DDDD-CCCC-BBBB-AAAA000000D5"
]
"gid" => [
0 => "213"
]
"home" => [
0 => "/var/db/lockdown"
]
"name" => [
0 => "_usbmuxd"
]
"passwd" => [
0 => "*"
]
"realname" => [
0 => "iPhone OS Device Helper"
]
"shell" => [
0 => "/usr/bin/false"
]
"uid" => [
0 => "213"
]
}
{
"generateduid" => [
0 => "ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000D5"
]
"gid" => [
0 => "213"
]
"name" => [
0 => "_usbmuxd"
]
"passwd" => [
0 => "*"
]
"realname" => [
0 => "iPhone OS Device Helper"
]
}
Then, cd here /private/var/db/dslocal/nodes/Default/users and /private/var/db/dslocal/nodes/Default/groups run grep -r for either gid or uid mentioned above and get the user/group.
0x5ac
Apple’s vendor ID.
tracev3
/private/var/db/diagnostics/Persist/*****.tracev3 binary log file. See the eForensics magazine for more information. For example, 000000000000057b.tracev3. Contains connection start times, vendor ID, product ID.
system.log
Another place to look for USB connections. Use grep -r usbmsc.
⚠️ Keep in mind that a lot of cheap USB drives might have the SAME serial number!!!
com.apple.finder.plist
Full path to the artifact: /Users/<username>/Library/Preferences/com.apple.finder.plist.
🔍 Not on my Mac!
FSEvents
Mount, Unmount, Volume. See here to know more about this artefact.
Daily.Out log
/private/var/log.daily.log.
Unified Log
Keywords: USBMC, Manufacturer.
Lockdown folder
Cryptogrphic keys to connect to pair other devices (https://blog.elcomsoft.com/2018/07/accessing-lockdown-files-on-macos/).
/private/var/db/lockdown/
AirDrop
Since OX Lion (10.7) and iOS 7.