USB Forensics

To make this tutorial actionable, here are the exact commands you saw in your screenshot, organized by the forensic phase they satisfy. You can copy and paste these into an Administrative Command Prompt.

Phase 1: Identify the Hardware

Goal: Extract the unique Serial Number of the device to prove its physical identity.

List all USB history:

reg query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

Get specific device details (Serial Number):

reg query "HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_"

Phase 2: Map to a Drive Letter

Goal: Determine which drive letter (E:, F:, G:) the device was assigned so you can track file activity.

View drive letter assignments:

reg query HKLM\SYSTEM\MountedDevices

Note: Look for the hex data in \DosDevices\F: that matches the ParentIdPrefix or Serial Number found in Phase 1.

We need to convert hex to ADCII and match serial numbers

Hex to String | Hex to ASCII Converterwww.rapidtables.com

Phase 3: Establish the Timeline

Goal: Find the exact date and time the device was first or most recently connected.

Query Driver Logs for USB activity:

wevtutil qe Microsoft-Windows-DriverFrameworks-UserMode/Operational /f:text | findstr /i "USB"

or if does not work

findstr /i "USBSTOR" C:\Windows\INF\setupapi.dev.log

Or even better

findstr /i /B ">>> USBSTOR" C:\Windows\INF\setupapi.dev.log

Phase 4: Verify Current State

Goal: Check if the device is currently "Live" (plugged in right now) and see its Volume Name.

List active removable disks:

wmic logicaldisk where drivetype=2 get deviceid, volumename, description

PreviousMemory Forensics NextADS

Last updated 2 months ago

hashtagPhase 1: Identify the Hardware

hashtagPhase 2: Map to a Drive Letter

hashtagPhase 3: Establish the Timeline

hashtagPhase 4: Verify Current State

Phase 1: Identify the Hardware

Phase 2: Map to a Drive Letter

Phase 3: Establish the Timeline

Phase 4: Verify Current State