usb

$ target-query <path/to/target> -f usb

Details

Module	dissect.target.plugins.os.windows.regf.usb.UsbPlugin
Output	records

Module documentation

Windows USB history plugin.

Parses Windows registry data about attached USB devices. Does not parse EVTX EventIDs or C:\Windows\inf\setupapi(.dev).log.

To get a full picture of the USB history on a Windows machine, you should parse the relevant EventIDs using the evtx plugin. For more research on event log USB forensics, see:

• https://www.researchgate.net/publication/318514858_USB_Storage_Device_Forensics_for_Windows_10

• https://dfir.pubpub.org/pub/h78di10n/release/2

• https://www.senturean.com/posts/19_08_03_usb_storage_forensics_1/#1-system-events

Resources:

• https://hatsoffsecurity.com/2014/06/05/usb-forensics-pt-1-serial-number/

• http://www.swiftforensics.com/2013/11/windows-8-new-registry-artifacts-part-1.html

• https://www.sans.org/blog/the-truth-about-usb-device-serial-numbers/

Function documentation

Yields information about (historically) attached USB storage devices on Windows.

Uses the registry to find information about USB storage devices that have been attached to the system. Also tries to find the past volume name and mount letters of the USB device and what user(s) interacted with them using explorer.exe.