INF Setup Logs

Overview

Evidence: INF Setup Description: Collect INF Setup Log Files Category: Other Evidence Platform: Windows Short Name: infl Is Parsed: No - Raw text log files Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows maintains setupapi log files that record detailed information about device driver installations, including PnP device installations, driver package installations, and device configuration changes.

These logs can provide evidence of hardware changes, driver installations, and USB device connections that may not be captured elsewhere.

Data Collected

Field

Description

Example

Name

Artifact name

INF Setup Logs

Type

File

SourcePath

Original file path

C:\Windows\INF\setupapi.dev.log

Path

Relative path in evidence

Other/setupapi.dev.log

Collection Method

This collector collects INF setup log files from:

Windows\INF\setupapi*.log
Windows\setupapi*.log (legacy location)

Usage

INF setup logs provide detailed device installation history. Investigators use this data to track USB device installations, identify driver installation timelines, detect hardware changes, investigate PnP device activity, and correlate with USB history artifacts.

Known Limitations

Text log format varies by Windows version
May be rotated or cleared
Detailed parsing requires log format knowledge
Some installations may not be fully logged

Notes

These logs complement USB device history and can provide installation details including specific times when devices were connected and configured.

PreviousIE 7-8-9 Browsing History NextIPv4 Routes

Last updated 49 minutes ago

Was this helpful?