USB Event Logs

USB Event Logs for Forensic Analysis

In this lesson, we explore the Windows Event Logs that provide valuable insights into USB activity. By correlating these logs with registry artifacts, we can confidently validate USB usage and create a reliable forensic timeline. This approach ensures multiple data sources corroborate each other, reducing the risk of analytical errors.

Event Logs to Investigate

  1. Partition Logs

  2. Kernel-PnP Logs

  3. NTFS Operational Logs

1. Partition Logs

Path in Event Viewer: Application and Services Logs > Microsoft > Windows > Partition

Key Event ID:

  • 1006: This event logs when a USB storage device is connected.

Details from Event:

  • Timestamp: Confirms the time the USB was connected.

  • Device Information:

    • Serial Number

    • Manufacturer

    • Model

    • Disk size (in bytes)

Example: A Partition log shows that a USB with serial number 123456789 and model SanDisk Ultra was connected at 08:05:07 AM. This aligns perfectly with the connection timestamp obtained from the USBSTOR registry key.

2. Kernel-PnP Logs

Path in Event Viewer: Application and Services Logs > Microsoft > Windows > Kernel-PnP

Key Event IDs:

  • 400: Indicates when a USB device is configured (connected).

  • 410: Logged when the USB device is removed.

Details from Event:

  • Device Name: Matches the name in the USBSTOR registry.

  • Class GUID: Unique identifier corresponding to the USB device type.

  • Timestamp: Matches the connection time logged in Partition events and the registry.

Example: Event ID 400 shows the USB with the same Class GUID as the registry and confirms the device was configured at the exact same time as noted in Partition logs.

3. NTFS Operational Logs

Path in Event Viewer: Application and Services Logs > Microsoft > Windows > NTFS

Key Event ID:

  • 142: Logged when a new volume (e.g., a USB drive) is assigned a drive letter.

Details from Event:

  • Volume Name: Shows the drive letter assigned to the USB (e.g., E:).

  • Timestamp: Aligns with previous logs, marking when the USB was first recognized and assigned.

Example: An event at 08:05:10 AM logs that the USB was assigned the drive letter E:. Any file paths starting with E:\ will relate to this USB, providing context for further file access investigations.

Why These Logs Matter

  • Partition Logs confirm device details.

  • Kernel-PnP Logs verify device connections and disconnections.

  • NTFS Logs provide the drive letter associated with the USB, aiding in tracking file access on the device.

Next Steps

In the next lesson, we’ll delve into Folder Access Analysis via Shellbags, using file and folder paths (like those beginning with E:\) to understand the USB's usage and assess its content.

PreviousUSB Registry KeyNextFolder Access Analysis via Shellbags

Last updated