If youâ€™ve ever used a USB storage device and wondered how stealthy you can be with them, youâ€™re in for a scare. Windows XP logs pretty much everything youâ€™d want to know about that USB key in the registry each time itâ€™s plugged in and written to.
When you plug in your USB drive, the Plug and Play manager gets notified and queries the device descriptor in the firmware for information about the device. This helps it locate a driver, which is referenced in the %SystemRoot%/inf folder by various .inf files. Once the device is identified and a driver selected, the information is dropped into HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR with a format similar to Disk&Ven_###&Prod_###&Rev_### which will identify the device ID, manufacturer and more. An important number you will find here is the ParentID prefix, which I did not actually say during the segment but this is something that will appear in virtually every registry entry regarding the device.
Microsoft uses serial numbers on the devices to distinguish between devices with the same manufacturer or model. In the case that the serial number is not unique (or even not present), the PnP manager will create a unique instance ID for the device.
All of the numbers you find related to each device should be logged if youâ€™re doing any sort of investigation or trying to track a device across computers.
If youâ€™re trying to determine whether data was perhaps pilfered from your machine/network, you will want to look at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses, where you will find the ParentID prefix and will be able to correlate to the device. You should also see the manufacturer name here. We are looking for the Last Write time which will help in determining whether data was pilfered by giving you a timeframe as to when someone last copied data to the device. In order to do this, youâ€™re going to right click on the entry that has the ParentID prefix and manufacturer name for the device you want, and then click Export. Change the file extension to .txt and name it anything you want, remembering where you save the file. Upon opening this file up, you will find the last write time.
There are many applications for this data, and youâ€™ll probably never be in the registry doing it quite this way, as there are many tools, both commercial and free that will simplify all of this. This data is also used in tools/services which help track your devices, such as iHound (ihoundsoftware.com), which helps you track devices if theyâ€™re stolen.
If you have any questions feel free to contact meÂ here and visit myÂ website. Many thanks to Harlan Carvey, author of the 2007 book Windows Forensic Analysis (I think I mightâ€™ve errantly said 2005, sorry) for without this book I wouldnâ€™t have known as much as I do about the windows registry.