# USB Storage History

## Overview

**Evidence:** USB Storage History\
**Description:** Collect USB Storage History\
**Category:** DiskFilesystem\
**Platform:** windows\
**Short Name:** usbmsc\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Windows tracks all USB mass storage devices that connect to the system in the registry. This includes USB flash drives, external hard drives, and MTP devices. The registry maintains connection timestamps, device identifiers, and device descriptions.

This information persists even after the device is removed, providing historical evidence of USB device usage that can indicate data exfiltration or unauthorized device connections.

## Data Collected

This collector gathers structured data about usb storage history.

### USB Storage History Data

| Field           | Description                       | Example                  |
| --------------- | --------------------------------- | ------------------------ |
| `FriendlyName`  | Device friendly name              | SanDisk Ultra USB Device |
| `DeviceDesc`    | Device description                | USB Mass Storage Device  |
| `Serial`        | Device serial number              | 123456789ABCDEF          |
| `VendorID`      | USB vendor ID                     | 0781                     |
| `ProductID`     | USB product ID                    | 5581                     |
| `Install`       | Installation timestamp            | 2023-10-01T14:00:00      |
| `FirstInstall`  | First installation timestamp      | 2023-09-15T10:00:00      |
| `LastArrival`   | Last connection timestamp         | 2023-10-15T09:00:00      |
| `LastRemoval`   | Last disconnection timestamp      | 2023-10-15T17:00:00      |
| `RegistryTime1` | First registry modification time  | 2023-09-15T10:00:00      |
| `RegistryTime2` | Second registry modification time | 2023-10-15T17:00:00      |

## Collection Method

This collector parses the offline SYSTEM registry hive to extract USB device information from:

* `ControlSet*\Enum\USB\*\*` - USB device entries
* `ControlSet*\Enum\USBSTOR\*\*` - USB storage device entries
* `ControlSet*\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}` - Device class timestamps

The collector correlates information across multiple registry keys to build complete device profiles with accurate timestamps.

## Forensic Value

USB device history is critical for data exfiltration investigations and insider threat detection. Investigators use this data to identify unauthorized USB devices, establish device connection timelines, detect data theft via USB drives, track specific devices across multiple systems, correlate device usage with user activity, and identify devices used for malware delivery.