USB Forensics — Who Connected What Device, and When

USB storage devices are common vectors for data theft, malware introduction, and evidence destruction. Forensic investigators regularly need to answer: was a USB drive connected to this computer? When? What was on it?

Windows maintains a surprisingly detailed record of every USB device that has ever been connected — if you know where to look. This guide covers the key artifacts, their locations, and how to build a timeline from USB evidence.

Windows USB Artifacts

USBSTOR Registry Key
Location: SYSTEM\CurrentControlSet\Enum\USBSTOR

This key records every USB storage device ever connected. For each device, the registry stores:

• Device class (DiskDrive, CdRom, etc.)
• Manufacturer and product name (e.g., “SanDisk Cruzer”)
• Serial number (unique per device)
• First connected timestamp (via SetupAPI log)
• Last connected and disconnected timestamps (via registry last write times)

The serial number is critical — it uniquely identifies a specific physical device. Finding the same serial number in the registry of multiple computers proves the same device was connected to all of them.

To extract USBSTOR data using Eric Zimmerman’s Registry Explorer:

# Parse SYSTEM hive for USB device history
RECmd.exe --hive SYSTEM --kn "ControlSet001\Enum\USBSTOR" --csv output/

# Or use RegRipper plugin
rip.pl -r SYSTEM -p usbstor

USB Registry Key
Location: SYSTEM\CurrentControlSet\Enum\USB

Records all USB devices, not just storage — keyboards, webcams, phones, etc. The Vendor ID (VID) and Product ID (PID) here can be cross-referenced against the USB ID database at linux-usb.org/usb-ids.html to identify the device manufacturer and model even when the USBSTOR descriptor is generic.

MountedDevices and MountPoints2
Location: SYSTEM\MountedDevices and NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Records drive letters assigned to mounted volumes, including USB drives. Cross-referencing with USBSTOR entries shows which drive letter was assigned to which device. MountPoints2 is per-user, meaning you can determine which user account was logged in when a device was mounted.

SetupAPI Logs

Location: C:\Windows\inf\setupapi.dev.log

This log records every device installation event with a timestamp. When a USB device is connected for the first time (or after a driver update), an entry is written here.

SetupAPI entries include the device’s hardware ID (matches the USBSTOR key) and the exact date and time of first connection. This is the most reliable first-connected timestamp for USB devices.

A typical SetupAPI entry looks like:

>>>[Device Install (Hardware initiated) - USB\VID_0781&PID_5567\200601234567]
>>>  Section start 2026/03/15 14:22:31.445
      dvi: {Build Driver List}
      dvi: {Build Driver List - exit(0x00000000)}
      dvi: {DIF_SELECTBESTCOMPATDRV}
      dvi: Default installer: Enter
      dvi: {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)}

Windows Event Logs for USB Activity

Relevant events in the Security and System logs:

• Event ID 6416 (Security log): A new external device was recognized — includes device description and class GUID. Requires “Audit PNP Activity” policy to be enabled.
• Event ID 4663 (Security log): File access on a removable drive. Requires Object Access auditing to be enabled — not on by default, but frequently enabled in enterprise environments.
• Event ID 20001 (Microsoft-Windows-UserPnP/DeviceInstall): Records driver installation for new devices with timestamps.
• Event ID 10000/10100 (Microsoft-Windows-DriverFrameworks-UserMode): USB device connect/disconnect events with precise timestamps in Windows 10/11.

To query USB events from an exported EVTX file:

# PowerShell - extract USB events from Security log
Get-WinEvent -Path Security.evtx | Where-Object {$_.Id -eq 6416} |
  Select-Object TimeCreated, Message | Format-List

# Or use EvtxECmd from Eric Zimmerman's tools
EvtxECmd.exe -f System.evtx --csv output/ --csvf usb_events.csv

LNK Files (Link Files) as USB Evidence

When a user opens a file from a USB drive through Windows Explorer, Windows creates a Link (.lnk) file in the user’s Recent folder and in Jump Lists. These LNK files contain:

• The full path to the opened file (including the drive letter)
• The volume name and serial number of the USB drive
• File timestamps at the time of opening (creation, modification, access)
• The MAC address of the host machine
• The target file size at time of access

Finding an LNK file pointing to E:\Private\report.xlsx on a drive with a specific volume serial number is direct evidence of file access from that USB volume. Parse LNK files with:

# Eric Zimmerman's LECmd
LECmd.exe -d "C:\Users\suspect\AppData\Roaming\Microsoft\Windows\Recent" --csv output/

# Or with exiftool
exiftool -a *.lnk

Shellbags — USB Volume Navigation Evidence

Shellbags record folders that a user has navigated through in Windows Explorer. If a user opened folders on a USB drive, those folder paths and timestamps are recorded in shellbag data at:
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Shellbags persist even after the USB drive is removed — they’re stored on the host system. This means even if the suspect reformats or destroys the USB drive, the fact that they navigated to E:\Confidential\Q4 Financials\ is recorded on their workstation.

# Parse shellbags with SBECmd
SBECmd.exe -d "C:\Users\suspect" --csv output/

# Key columns: AbsolutePath, CreatedOn, ModifiedOn, AccessedOn, LastWriteTime

Eric Zimmermann’s ShellBag Explorer provides a GUI view that’s particularly useful for showing folder navigation patterns to a jury or in a deposition exhibit.

Connecting USB Evidence to Data Exfiltration

When investigating potential data theft, USB evidence is connected through a five-step correlation:

1. Registry confirms USB device connected at a specific date/time — USBSTOR provides the serial number and device descriptor
2. SetupAPI provides first-connection timestamp establishing when the device was first introduced to the system
3. Shellbags show folders navigated on the USB volume, revealing what directories the user browsed
4. LNK files show specific files opened from the USB drive, with timestamps and file metadata
5. Event logs or DLP tool alerts showing file transfer activity or device recognition events

Volume shadow copies may also show files that were on the system before they were copied to USB and deleted. Together, this evidence chain can establish that a specific person connected a specific USB drive, navigated to a sensitive folder, and accessed or copied specific files.

Case Example

A software company discovered that a departing engineer had accessed a proprietary codebase repository the day before giving notice. The company’s IT department preserved the engineer’s workstation image before the employee returned the laptop.

The forensic examiner recovered the SYSTEM registry hive and identified a SanDisk Ultra USB 3.0 drive (serial number 04013e69e1e1c451) that was first connected via SetupAPI at 22:47 on the evening before the resignation. USBSTOR last-write timestamps showed the device was disconnected at 23:14 — a 27-minute connection window.

Shellbag analysis revealed the user navigated to F:\backup\source\ on the USB volume. Two LNK files in the user’s Recent folder pointed to files on the F: drive with volume serial matching the USB device. The target paths referenced .tar.gz archive files with names matching the company’s repository structure.

The same USB serial number was later found in the USBSTOR registry of a personal laptop recovered under court order, confirming the device was used on both machines. The examiner’s timeline — correlating SetupAPI, registry timestamps, shellbags, and LNK metadata — was presented as a single exhibit establishing the sequence of events.

Practitioner Takeaways

• Always collect both the SYSTEM hive and the user’s NTUSER.DAT — USB device data spans both, and MountPoints2 in NTUSER ties the device to a specific user account.
• SetupAPI logs provide the most reliable first-connection timestamp; registry last-write times indicate the most recent connection.
• Shellbag evidence survives USB removal, reformatting, and even destruction of the device itself — it’s stored entirely on the host.
• Volume serial numbers in LNK files and MountedDevices are different from USB device serial numbers — don’t conflate the two in reports.
• On macOS, equivalent artifacts are in /var/log/system.log, system_profiler SPUSBDataType, and the Spotlight index. On Linux, check dmesg, /var/log/syslog, and udevadm info.
• Document your tool versions (Registry Explorer, RECmd, LECmd) and hashes of the evidence files before parsing — opposing counsel will challenge the tool’s reliability at deposition.

FAQ: USB Forensics

Q: Can a USB connection be proven even if the drive isn’t available?
A: Yes. The Windows registry records the device serial number and timestamps regardless of whether the drive is available. The drive itself is helpful for examining its contents but not required to prove it was connected. USBSTOR, SetupAPI, shellbags, and LNK files all reside on the host system.

Q: Can you tell what files were copied to a USB drive?
A: Not directly from Windows alone. Windows doesn’t log copy operations by default. However, LNK files, shellbags, and prefetch files can show what files were accessed before the copy. DLP software, if installed, may log actual file transfers. Jump Lists in Windows 10/11 also record recently accessed files per application.

Q: If someone formats the USB drive, does that destroy the Windows records?
A: No. Formatting the USB drive doesn’t affect the records on the host computer. The Windows registry, SetupAPI logs, LNK files, and shellbags on the host system remain unchanged by anything done to the USB drive itself.

Q: Can USB timestamps be spoofed or manipulated?
A: Registry last-write times can theoretically be altered with specialized tools, but SetupAPI logs are append-only text files and harder to manipulate without detectable inconsistencies. Cross-referencing multiple independent artifact sources — registry, SetupAPI, event logs, LNK files — makes timestamp manipulation extremely difficult to execute convincingly.

Q: How far back do USB connection records go?
A: USBSTOR registry entries persist indefinitely unless manually deleted. SetupAPI logs can grow to several megabytes before Windows rotates them, typically covering months to years of device history. Event logs depend on the retention policy configured on the system.

Q: Do USB-C and Thunderbolt devices leave the same artifacts?
A: USB-C storage devices that use the USB Mass Storage or UAS protocol leave identical USBSTOR artifacts. Thunderbolt devices may appear under different device classes depending on the protocol used. NVMe over Thunderbolt, for example, may not appear in USBSTOR but will appear in SetupAPI and event logs.

See also: Hard Drive Imaging | Employee Monitoring | Trade Secret Forensics