USB Storage History

Overview

Evidence: USB Storage History Description: Collect USB Storage History Category: System Platform: Windows Short Name: usbmsc Is Parsed: Yes - Registry data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows tracks all USB mass storage devices that connect to the system in the registry. This includes USB flash drives, external hard drives, and MTP devices. The registry maintains connection timestamps, device identifiers, and device descriptions.

This information persists even after the device is removed, providing historical evidence of USB device usage that can indicate data exfiltration or unauthorized device connections.

Data Collected

Field

Description

Example

FriendlyName

Device friendly name

SanDisk Ultra USB Device

DeviceDesc

Device description

USB Mass Storage Device

Serial

Device serial number

123456789ABCDEF

VendorID

USB vendor ID

0781

ProductID

USB product ID

5581

Install

Installation timestamp

2023-10-01T14:00:00

FirstInstall

First installation timestamp

2023-09-15T10:00:00

LastArrival

Last connection timestamp

2023-10-15T09:00:00

LastRemoval

Last disconnection timestamp

2023-10-15T17:00:00

RegistryTime1

First registry modification time

2023-09-15T10:00:00

RegistryTime2

Second registry modification time

2023-10-15T17:00:00

Collection Method

This collector parses the offline SYSTEM registry hive to extract USB device information from:

ControlSet*\Enum\USB\*\* - USB device entries
ControlSet*\Enum\USBSTOR\*\* - USB storage device entries
ControlSet*\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed} - Device class timestamps

The collector correlates information across multiple registry keys to build complete device profiles with accurate timestamps.

Usage

USB device history is critical for data exfiltration investigations and insider threat detection. Investigators use this data to identify unauthorized USB devices, establish device connection timelines, detect data theft via USB drives, track specific devices across multiple systems, correlate device usage with user activity, and identify devices used for malware delivery.

Known Limitations

Timestamps depend on Windows version (Win7+ has more detail)
Devices without unique serials may be ambiguous
Some MTP devices may not be fully tracked
Registry key timestamps used as fallback when device times unavailable

Notes

Windows 8+ provides more detailed timestamps (LastArrival, LastRemoval) compared to Windows 7. The Volume Serial Number from prefetch or other artifacts can be correlated with USB devices to establish device usage for specific file operations.

PreviousUDP Table NextUSN Journal $Max

Last updated 48 minutes ago

Was this helpful?