USN History

A place to discuss data and privacy protection, file and disk wipe, computer cleaning, and removing traces of user activity with R-Wipe & Clean.
Forum rules
Discussion on the R-Wipe & Clean and R-Crypto software

USN History

Post by rwiper » Tue Apr 07, 2020 1:42 pm

Can you add cleaning list?

Windows keeps a history log of all previously connected USB devices along with their connection times in addition to the associated user account which installs them. When a USB removable storage device, such as a thumb drive, is connected to a Windows system, footprints or artifacts are left in the Registry.

Windows stores USB history-related information using five registry keys, where each key offers a different piece of information about the connected device. By merging this information together, investigators will have an idea of how an offender has used removable devices—such as a USB—to conduct/facilitate his/her actions.

Here you will find all USB devices that have been plugged into the operating system since its installation. It shows the USB vendor ID (manufacturer name), product ID, and the device serial number (note that if the second character of the device serial number is “&,” it means the connected device does not have a serial number and the device ID has been generated by the system).

The MountedDevices subkey stores the drive letter allocations; it matches the serial number of a USB device to a given drive letter or volume that was mounted when the USB device was inserted.

This key will record which user was logged into Windows when a specific USB device was connected. The key also includes the “Last Write Time” for each device that was connected to the system.

This key holds technical information about each connected USB device in addition to the last time the subject USB was connected to the investigated computer.



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt