USB Registry Key

Introduction

The Windows Registry holds critical information about USB devices connected to a system. This data is invaluable in forensic investigations, providing insights into when and what types of USB devices were used. By analyzing specific registry keys, investigators can establish timelines, correlate events, and detect unauthorized activity.

Key Registry Locations for USB Forensics

1. USBSTOR Key

Registry Path: HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

Information Stored:

  • Device Model and Version: Identifies the manufacturer and model.

  • Serial Number: Unique serial number assigned to the device by Windows.

  • Friendly Name: A descriptive name that may indicate the device’s owner or purpose.

  • Container ID: A unique identifier linking the device to other events or logs.

Navigating USBSTOR:

  1. Open Registry Explorer.

  2. Load the SYSTEM hive.

  3. Navigate to USBSTOR and expand the subkeys.

    • Each subkey corresponds to a specific device.

    • Subkey names often reflect the device’s serial number.

Timestamps:

  • Connection Time:

    • Navigate to Properties -> subkey starting with 83daxxx -> 0064 key.

  • Disconnection Time:

    • Look under the same Properties subkey -> 0066 key.

Note: These timestamps are recorded in UTC and are critical for building a timeline of USB activity.

2. USB Key

Registry Path: HKLM\SYSTEM\CurrentControlSet\Enum\USB

Information Stored:

  • Device Type: Identifies the type of device (e.g., storage, input device).

  • Service Type: Indicates the driver or service associated with the device:

    • disk for storage devices.

    • BTHUSB for Bluetooth devices.

Example:

  • Bluetooth Adapter:

    • Service: BTHUSB

    • Description: Confirms it’s a Bluetooth device.

  • USB Storage Device:

    • Service: disk

    • Description: Confirms it was an external drive or flash drive.

Practical Use in Investigations

1. Identifying Devices

  • Determine specific USB devices that were connected to the system.

  • Gather details such as model, serial number, and device type.

2. Correlating Events

  • Use connection and disconnection timestamps to correlate with:

    • Event logs.

    • File access or modification times.

    • Network activity logs.

3. Insider Threat Detection

  • Detect unauthorized USB usage, particularly in scenarios involving:

    • Data exfiltration.

    • Unauthorized use of external storage devices.

4. Linking to Other Artifacts

  • Use Container IDs to correlate registry entries with:

    • Event logs.

    • File system changes.

    • Volume Shadow Copies.

Key Points

  • USBSTOR:

    • Provides detailed information about external storage devices, including timestamps, serial numbers, and Container IDs.

  • USB:

    • Lists all USB devices and their respective service types.

  • Timestamps:

    • Help establish forensic timelines, which are crucial for understanding the context of USB device usage.

By leveraging these registry keys, investigators can gain valuable insights into USB activity, reconstruct user actions, and detect potential security breaches.

PreviousIntroduction to USB ForensicsNextUSB Event Logs

Last updated