USB Histroy Cleaning

A place to discuss data and privacy protection, file and disk wipe, computer cleaning, and removing traces of user activity with R-Wipe & Clean.
Forum rules
Discussion on the R-Wipe & Clean and R-Crypto software
rwiper

USB Histroy Cleaning

Post by rwiper » Fri Jan 24, 2020 5:07 am

Please Do, R-Wipe Team.

Code: Select all

Windows keeps a history log of all previously connected USB devices along with their connection times in addition to the associated user account which installs them. When a USB removable storage device, such as a thumb drive, is connected to a Windows system, footprints or artifacts are left in the Registry.

Windows stores USB history-related information using five registry keys, where each key offers a different piece of information about the connected device. By merging this information together, investigators will have an idea of how an offender has used removable devices—such as a USB—to conduct/facilitate his/her actions.


[img]https://i0.wp.com/netseedblog.com/wp-content/uploads/2020/01/USBSTOR.png[/img]


[b]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR[/b]
Here you will find all USB devices that have been plugged into the operating system since its installation. It shows the USB vendor ID (manufacturer name), product ID, and the device serial number (note that if the second character of the device serial number is “&,” it means the connected device does not have a serial number and the device ID has been generated by the system).

[b]HKEY_LOCAL_MACHINE\SYSTEM\MountedDevice[/b]
The MountedDevices subkey stores the drive letter allocations; it matches the serial number of a USB device to a given drive letter or volume that was mounted when the USB device was inserted.


[b]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2[/b]
This key will record which user was logged into Windows when a specific USB device was connected. The key also includes the “Last Write Time” for each device that was connected to the system.


[b]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB[/b]
This key holds technical information about each connected USB device in addition to the last time the subject USB was connected to the investigated computer.

+

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\UsbFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume