If you’ve ever used a USB storage device and wondered how stealthy you can be with them, you’re in for a scare. Windows XP logs pretty much everything you’d want to know about that USB key in the registry each time it’s plugged in and written to.


When you plug in your USB drive, the Plug and Play manager gets notified and queries the device descriptor in the firmware for information about the device. This helps it locate a driver, which is referenced in the %SystemRoot%/inf folder by various .inf files. Once the device is identified and a driver selected, the information is dropped into HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR with a format similar to Disk&Ven_###&Prod_###&Rev_### which will identify the device ID, manufacturer and more. An important number you will find here is the ParentID prefix, which I did not actually say during the segment but this is something that will appear in virtually every registry entry regarding the device.

Microsoft uses serial numbers on the devices to distinguish between devices with the same manufacturer or model. In the case that the serial number is not unique (or even not present), the PnP manager will create a unique instance ID for the device.

All of the numbers you find related to each device should be logged if you’re doing any sort of investigation or trying to track a device across computers.

If you’re trying to determine whether data was perhaps pilfered from your machine/network, you will want to look at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses, where you will find the ParentID prefix and will be able to correlate to the device. You should also see the manufacturer name here. We are looking for the Last Write time which will help in determining whether data was pilfered by giving you a timeframe as to when someone last copied data to the device. In order to do this, you’re going to right click on the entry that has the ParentID prefix and manufacturer name for the device you want, and then click Export. Change the file extension to .txt and name it anything you want, remembering where you save the file. Upon opening this file up, you will find the last write time.

There are many applications for this data, and you’ll probably never be in the registry doing it quite this way, as there are many tools, both commercial and free that will simplify all of this. This data is also used in tools/services which help track your devices, such as iHound (ihoundsoftware.com), which helps you track devices if they’re stolen.

If you have any questions feel free to contact me here and visit my website. Many thanks to Harlan Carvey, author of the 2007 book Windows Forensic Analysis (I think I might’ve errantly said 2005, sorry) for without this book I wouldn’t have known as much as I do about the windows registry.

–Chris Gerling Jr.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

4 Comments

  • rami_info 3 years ago

    Hi hak5 team

    Could you please tell me the code of the last hak5 episode because I’m really jumbled, I downloaded all of them but I’ve forgotten the last episode number.

    Waiting for reply

    Thnx a lot for everything

  • USBDeview is program that does USB tracking and more.

  • yashu maheshwari 1 year ago

    can you tell me how can i stole the material present in usb driver without asking anyone after removing pen drive plzzzzzzzzzzzzzzz??????????????????

  • My computer is connected to a large LAN network.I am student and has done a project in a companys PC. I want to copy the pro file but they have port security.so a computer does not detect any device on all external ports.i thought of unplugging the lan cable but still it is not working.
    Please can you suggest a way to made usb readable on those protected ports.Also if somehow i copy files will it show what i have copied and how much .my file size is 1.2 GB