Home 0P3N Blog Windows USB Forensics
Ready to Start Your Career?
Create Free Account
Charanjeet Singhs profile image
By: Charanjeet Singh
October 19, 2016

Windows USB Forensics

By: Charanjeet Singh
October 19, 2016
Charanjeet Singhs profile image
By: Charanjeet Singh
October 19, 2016
usb-graphicToday, I’m going to tell you about windows usb and removable media forensics. Whenever we connect some external removable media device to a laptop or pc,  generates registry entries which contains a lot of information like device name, device type, its manufacturer name as well as information about the last  device connected to the pc. This type of information is very useful while doing forensics of computers and creating a chain of events for solving a cyber crime or any prohibited activity on that particular pc. We can collect information about all the devices that have ever been connected to the pc.The registry entries for USB are stored at the following locations in registry. One can go to registry by Ctrl+R and typing “regedit” in the run and then pressing “Enter” .

HKLMSystemCurrentControlSetEnumUSBTOR

And

HKLMSystemCurrentControlSetEnumUSB

One can go to these locations to manually examine these registry entries. But with the help of tools, this task becomes very easy. One can use the tools like USBDeview and USBHistorian to analyze these entries. Below is the picture of USBDeview.windows usb forensicsAs you can see, this tool presents all the information in easy to read format. Another thing I like about this tool is that you can filter the results by going into the “options” and selecting the desired option. Another worth mentioning thing about this tool is that one can generate HTML reports. It is freely available on the internet. One can visit www.nirsoft.net and download this tool.
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry