USB Storage History

Overview

Evidence: USB Storage History Description: Collect USB Storage History Category: DiskFilesystem Platform: windows Short Name: usbmsc Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows tracks all USB mass storage devices that connect to the system in the registry. This includes USB flash drives, external hard drives, and MTP devices. The registry maintains connection timestamps, device identifiers, and device descriptions.

This information persists even after the device is removed, providing historical evidence of USB device usage that can indicate data exfiltration or unauthorized device connections.

Data Collected

This collector gathers structured data about usb storage history.

USB Storage History Data

Collection Method

This collector parses the offline SYSTEM registry hive to extract USB device information from:

• ControlSet*\Enum\USB\*\* - USB device entries

• ControlSet*\Enum\USBSTOR\*\* - USB storage device entries

• ControlSet*\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed} - Device class timestamps

The collector correlates information across multiple registry keys to build complete device profiles with accurate timestamps.

Forensic Value

USB device history is critical for data exfiltration investigations and insider threat detection. Investigators use this data to identify unauthorized USB devices, establish device connection timelines, detect data theft via USB drives, track specific devices across multiple systems, correlate device usage with user activity, and identify devices used for malware delivery.