..
    generated, remove this comment to keep this file

``usb``
=======

.. code-block:: console

    $ target-query <path/to/target> -f usb


.. list-table:: Details
    :widths: 20 80

    * - Module
      - ``dissect.target.plugins.os.windows.regf.usb.UsbPlugin``
    * - Output
      - ``records``

**Module documentation**

Windows USB history plugin.

Parses Windows registry data about attached USB devices. Does not parse EVTX EventIDs
or ``C:\Windows\inf\setupapi(.dev).log``.

To get a full picture of the USB history on a Windows machine, you should parse the
relevant EventIDs using the evtx plugin. For more research on event log USB forensics, see:

    - https://www.researchgate.net/publication/318514858_USB_Storage_Device_Forensics_for_Windows_10
    - https://dfir.pubpub.org/pub/h78di10n/release/2
    - https://www.senturean.com/posts/19_08_03_usb_storage_forensics_1/#1-system-events

References:
    - https://hatsoffsecurity.com/2014/06/05/usb-forensics-pt-1-serial-number/
    - http://www.swiftforensics.com/2013/11/windows-8-new-registry-artifacts-part-1.html
    - https://www.sans.org/blog/the-truth-about-usb-device-serial-numbers/

**Function documentation**

Yields information about (historically) attached USB storage devices on Windows.

Uses the registry to find information about USB storage devices that have been attached to the system.
Also tries to find the past volume name and mount letters of the USB device and what user(s) interacted
with them using ``explorer.exe``.