In this lesson, you’ll learn about: Windows USB forensics and how external device activity is tracked through the Windows Registry1. What Is Windows USB Forensics?USB forensics focuses on identifying and analyzing traces left by:
Even after a device is unplugged or removed, Windows keeps permanent evidence of its connection.2. Why USB Devices Leave Forensic EvidenceWhen a USB device is connected, Windows automatically:
This allows investigators to reconstruct:
A registry location that stores details of USB storage devices🔹 What it records
This is the digital fingerprint of every USB device ever connected4. MountedDevices Key (Drive Letter Mapping)🔹 What it is
Links physical USB devices to assigned drive letters (E:, F:, etc.)🔹 What it reveals
Helps reconstruct how the system interacted with external storage5. MountPoints2 Key (User-Level Evidence)🔹 What it is
Stores per-user information about mounted devices🔹 What it reveals
Connects USB activity directly to a specific Windows user account6. Forensic Significance of USB Artifacts🔹 What investigators can determine:
USB history helps build a complete behavioral timeline of data movement7. USBDeview Tool (Practical Analysis)🔹 What it does
Automatically extracts USB history from the system🔹 What it shows
Turns raw registry data into readable forensic evidence8. Live System Analysis Considerations🔹 When analyzing active systems:
Live analysis requires strict forensic discipline to avoid contamination9. Linking USB Devices to Real-World Activity🔹 Investigation process:
USB device → Registry traces → User account → Timeline reconstruction👉 Key Insight
This allows investigators to connect a physical device to a specific suspect machineKey Takeaways
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- USB flash drives
- External hard drives
- Digital cameras and mobile storage devices
Even after a device is unplugged or removed, Windows keeps permanent evidence of its connection.2. Why USB Devices Leave Forensic EvidenceWhen a USB device is connected, Windows automatically:
- Logs device identity
- Stores serial numbers
- Records connection history
- Links devices to specific users
This allows investigators to reconstruct:
- Who used the device
- When it was connected
- What machine it was connected to
A registry location that stores details of USB storage devices🔹 What it records
- Vendor name (e.g., SanDisk, Kingston)
- Product model
- Unique serial number
This is the digital fingerprint of every USB device ever connected4. MountedDevices Key (Drive Letter Mapping)🔹 What it is
Links physical USB devices to assigned drive letters (E:, F:, etc.)🔹 What it reveals
- Which USB got which drive letter
- How Windows mapped the storage at connection time
Helps reconstruct how the system interacted with external storage5. MountPoints2 Key (User-Level Evidence)🔹 What it is
Stores per-user information about mounted devices🔹 What it reveals
- Which user connected the device
- Access history from user profile perspective
Connects USB activity directly to a specific Windows user account6. Forensic Significance of USB Artifacts🔹 What investigators can determine:
- First time a device was plugged in
- Last time it was used
- Frequency of usage
- Possible data transfer activity
USB history helps build a complete behavioral timeline of data movement7. USBDeview Tool (Practical Analysis)🔹 What it does
Automatically extracts USB history from the system🔹 What it shows
- Device name and model
- Serial number
- First/last connection time
- Plug/unplug events
Turns raw registry data into readable forensic evidence8. Live System Analysis Considerations🔹 When analyzing active systems:
- Registry must be extracted carefully
- Evidence integrity must be preserved
- Avoid modifying timestamps or device traces
Live analysis requires strict forensic discipline to avoid contamination9. Linking USB Devices to Real-World Activity🔹 Investigation process:
USB device → Registry traces → User account → Timeline reconstruction👉 Key Insight
This allows investigators to connect a physical device to a specific suspect machineKey Takeaways
- Windows permanently records USB device history in the registry
- USBSTOR stores device identity and serial numbers
- MountedDevices maps USBs to drive letters
- MountPoints2 links devices to specific users
- Tools like USBDeview simplify forensic extraction
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
Listen
Watch
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Picture this. You're at your desk, right and a coworker
hands you a flash drive with a presentation on it.
Speaker 2 (00:06):
It happens all the time, exactly.
Speaker 1 (00:07):
So you plug it into your computer, you hear that
familiar little hardware shain got them, Yeah, that exact sent
and then you drag the file onto your desktop. You
pull the drive out and hand it back. It feels
totally like ephemeral, like a quick digital handshake, right in
and out. The drive is unmounted, the transaction is over,
and your system resources just go back to whatever they
(00:28):
were doing. But here's the thing. That brief connection wasn't temporary.
Speaker 2 (00:34):
At all, not even a little bit.
Speaker 1 (00:36):
The absolute second you interface that drive with your system,
the operating system generated this permanent, highly detailed footprint very
deep inside its configuration files.
Speaker 2 (00:47):
And it's all driven by caching and you know optimization.
I mean, the operating system doesn't want to reinstall the
whole driver stack from scratch the very next time you
plug that exact piece of hardware.
Speaker 1 (00:57):
It wants to save time exactly.
Speaker 2 (00:58):
It wants to minimize latent, so it saves the hardware profile.
And the byproduct of that efficiency is this massive persistent
log of literally every external device that has ever touched
the machine.
Speaker 1 (01:11):
So today, our mission for this deep dive is to
follow those exact footprints. We're going to uncover the hidden
history of external devices mounted on a Windows machine. Will
explore the actual digital breadcrumbs left behind, the mechanics of
you know, why they exist in the first place, and
how forensic investigators use them to basically solve mysteries.
Speaker 2 (01:31):
And what's fascinating here is the why behind the forensic
side of things. Right in an investigation, say a cybersecurity
incident or something, the actual data on a drive might
be gone, the physical drive itself might be at the
bottom of a lake somewhere literally gone. Yeah, but estalaghing
just the sheer presence of that hardware on a specific
computer at a given time that allows investigators to link
(01:53):
a specific USB drive found at a crime scene directly
back to a suspects machine.
Speaker 1 (01:58):
The machine remembers, it.
Speaker 2 (02:00):
Retains the ghost of the hardware, and that is often
enough to completely crack a timeline wide open.
Speaker 1 (02:05):
Okay, let's untack this because to track these artifacts, we
have to understand what exactly is leaving them. We need
to look at how Windows actually categorizes these devices when
they get plugged in, right.
Speaker 2 (02:17):
Because not all USBs are treated the same by the
system exactly.
Speaker 1 (02:20):
When we're evaluating these endpoints, we're basically looking at three
main types. You've got your standard USB mass storage devices,
removable storage, and then MTP, which stands for Media Transfer
Protocol devices, right.
Speaker 2 (02:33):
And MTP devices are usually things like your digital cameras
or your smartphones.
Speaker 1 (02:37):
And the specific type of device dictates exactly which driver's
windows and stalls. It's almost like, well, think of it
like different vehicles pulling into a secure facility like that. Yeah, so,
like a massive delivery truck which would be your mass
storage device, gets a totally different level of logging and
a different driver assigned to handle it than say a
(02:59):
visitor rolling up up on a bicycle, which would be
the MTP device.
Speaker 2 (03:02):
That's a great analogy because of those different drivers acting
as escorts. The evidence isn't just dropped in one neat
little folder. Examiners actually have to collect details from multiple
scattered locations across a Windows machine to piece together the
full story.
Speaker 1 (03:16):
Which logically brings up the big question, Yeah, so where
exactly is this information hiding?
Speaker 2 (03:22):
Mostly we were talking about the Windows registry.
Speaker 1 (03:24):
The registry the system's hidden guestbook exactly.
Speaker 2 (03:28):
It tracks mounted volumes, it assigns drive letters. It literally
records everything USB, CD rahms, memory cards, cameras.
Speaker 1 (03:36):
So let's do a step by step walkthrough of those
for you listening, because it gets pretty granular. Let's start
with the master ledger, which is the USD store key.
That's usdstr the anchor point right the moment a storage
device connects. A subkey is created here. It tracks the vendor,
the brand, and critically the unique serial number of the device.
Speaker 2 (03:57):
And inside that serial number key, Windows records the very
first time that specific device was attached and the very
last time it was.
Speaker 1 (04:04):
Attached, which is huge for building a timeline. But wait,
if I plug in ten different USB sticks over the
course of a month, won't the system get confused about
which one was like drive E or whatever.
Speaker 2 (04:16):
Well, that transitions us to the next key, which is
mounted devices, And you just hit on a very real
forensic hurdle. Oh really, yeah, The mounted device is key
is what allows investigators to match that serial number we
just found to the specific drive letter the system assigned it, so.
Speaker 1 (04:31):
It links the serial number to E.
Speaker 2 (04:34):
Or f exactly. But to answer your question, yes, the
system reuses drive letters, so the mapped drive letter in
mounted devices will only display the serial number for the
most recently mounted device.
Speaker 1 (04:47):
Ah, so it overwrites the older ones to save space.
Speaker 2 (04:50):
It does drops the historical allocations, so if you had
ten drives, use e, you're only seeing the last one there.
Speaker 1 (04:55):
Okay, so you have the hardware d the serial number,
the drive letter, but none of that tells me who
was actually sitting at the keyboard, Like what if it's
a shared family computer or a shared server.
Speaker 2 (05:04):
And that is why we have the mount points two
key mountpoint Yes, this one is crucial. The other keys
are global, right, but mountpoints two is stored in the
individual nt user dot dot hive. For each user.
Speaker 1 (05:18):
Profile ntusor dot dat Right, it.
Speaker 2 (05:22):
Lists the device IDs connected by a particular user. So
an investigator might have to dig through every single user
profile on that machine to figure out exactly who was
logged in and active when that drive was plugged in. Wow.
Speaker 1 (05:33):
Okay, so it's a multi stage process. And then I
think there's one more piece to the puzzle, right, the
system hive.
Speaker 2 (05:38):
Yes, the system hive provides the vendor and product ID,
and investigators use its last right time on the serial
number key to definitively confirm the last connected time.
Speaker 1 (05:48):
Okay, So for anyone wanting to know exactly where this
master driver file lives on their machine, I'll spell out
the path slowly. You go to your C drive, so
C call in backslash, then the Windows folder backslash, thirty
two backslash drivers backslash, and finally us gerstore dot access.
That's the one but, and this is a massive but
(06:08):
for anyone thinking about looking into this on a live machine,
there is a huge practical caveat here.
Speaker 2 (06:12):
Like absolutely the observer effect.
Speaker 1 (06:14):
Yes, explain what happens if an investigator just walks up
to a suspect's laptop and plugs in their own USB
drive full of diagnostic tools.
Speaker 2 (06:23):
It is a rookie mistake because the very act of
inserting the investigators USB overwrites the environment they're trying to investigate.
Speaker 1 (06:31):
The system treats the diagnostic drive just like any other
drive exactly.
Speaker 2 (06:35):
It generates a new USB store entry, updates the last
connected timestamps in the system hive, and potentially overwrites that
mounted device. Is key we just talked about by seizing
a drive.
Speaker 1 (06:46):
Letter, you literally destroy the evidence by trying to read it.
Speaker 2 (06:49):
You do, which is why you can't just run tools
from a USB on a live system. If you care
about forensic integrity, you have to safely extract the raw
registry hives and analyze them offline.
Speaker 1 (06:59):
Okay, So on that risk of altering evidence, let's talk
about how we actually view this data safely without like
manually digging through thousands of lines of raw registry code.
Speaker 2 (07:08):
Nobody wants to do that manually.
Speaker 1 (07:09):
No way, and that brings us to a specific super
popular utility called usbdview.
Speaker 2 (07:14):
Ah usbdview created by Nearsoft. It's a lifesaver.
Speaker 1 (07:18):
Yeah. So for you listening picture this, you download it
through a browser like Chrome on Windows ten and just
unzipit with seven zip or Winner.
Speaker 2 (07:27):
And the beauty of it is that it requires absolutely
zero installation, right, it has.
Speaker 1 (07:32):
No installation footprint at all. You just run the executable
and boom, this incredibly detailed color coded list appears.
Speaker 2 (07:39):
And that color coding system is what accelerates the whole
triage process.
Speaker 1 (07:43):
Let's walk through the colors. You don't even need to
see the screen to get this. First, you have the gray.
Speaker 2 (07:48):
Lines the ghosts of the past.
Speaker 1 (07:50):
Right, devices that were connected previously but they are not
currently plugged into the machine.
Speaker 2 (07:54):
Then you have green that means the device is currently
plugged in and actively mounted. Basically, it's safe to physically
unplug without digital disconnecting.
Speaker 1 (08:02):
And finally, red lines those represent disabled devices stuff the
operating system has explicitly shut off. It's so intuitive, it
really is, and it's not just colors. By virtually double
clicking any device on that list, you get the actionable
data the last plug and unplugged dates, which is vital
for building a crime timeline, the drive letter, and the
(08:24):
serial number. It aggregates everything from USB store and mounted
devices into one clean matrix.
Speaker 2 (08:31):
But and if we connect this to the bigger picture,
parsing tools are only as reliable as your understanding of
the quirks of the operating system.
Speaker 1 (08:39):
Yeah, you mentioned there's a trap here with the created
date metric.
Speaker 2 (08:42):
It is a massive trap for a rookie investigator. So
the created date usually means the exact time you first
plug the device into a USB port.
Speaker 1 (08:51):
Right, makes sense the first time the system sees it.
Speaker 2 (08:53):
Right, But on a legacy architecture, specifically a Window seven machine,
which believe it or not, is still everywhere in legacy
the enterprise environments. That created date value is completely reinitialized
with the current date and time every single time the
system reboots.
Speaker 1 (09:08):
Wait, really every time it restarts.
Speaker 2 (09:09):
Every single time, the kernel basically rebuilds the device tree
if the hardware isn't actively communicating.
Speaker 1 (09:15):
Oh man, So an investigator could look at usbdview see
a created date of this morning and assume the USB
was just plugged in today.
Speaker 2 (09:25):
Exactly, completely missing the fact that the actual initial intrusion
happened like six months ago.
Speaker 1 (09:31):
That is wild. You really have to know the underlying
OS behavior. But here's where it gets really interesting with
usbdview because it's not just a passive read only tool
for looking at forensic data.
Speaker 2 (09:43):
Right. It has active capabilities.
Speaker 1 (09:44):
Yeah, you can actually use it to uninstall, disconnect, or
completely disable devices directly from the interface. It gives you
administrative control over the system's hardware state.
Speaker 2 (09:54):
Which is super useful for system admins. Yea, if you
have stale driver knows causing conflicts, you can just forcefully
prune the registry of historical devices. It forces the OS
to treat a known device as brand new the next
time you plug it in.
Speaker 1 (10:06):
So it's both a microscope and a scalpel. Okay, we
have covered a massive amount of ground today. We've traced
the entire life cycle of a physical connection, from the
hardware categories down to the registry keys and the tools
used to aggregate the data safely.
Speaker 2 (10:19):
The architecture is dense, yeah, but it leaves a highly
reliable audit trail if you know where to look exactly.
Speaker 1 (10:26):
So let's be a quick review session to test what
you've learned today. Think of it as an auditory pop quiz.
Speaker 2 (10:31):
Let's do it.
Speaker 1 (10:31):
Okay, listener, here's your scenario. You are analyzing an offline
registry hive. You've already found the unique serial number of
a suspicious USB drive. Now which registry key allows investigators
to match that device serial number to the specific drive
letter or volume that was mounted when the USB was inserted?
Speaker 2 (10:50):
A mounted devices, B mounted drives, C mount points two
or D mount disks two.
Speaker 1 (10:57):
Think about which key handles the volume manager's routing table.
Speaker 2 (11:01):
What's the answer.
Speaker 1 (11:01):
The answer is A, the mounted device is key.
Speaker 2 (11:04):
Right, and just remind you why B and D don't
even exist.
Speaker 1 (11:07):
We just made those up right, They are completely fabricated
and see mount points too. That's the one stored in
the NTUS or dot data hive that tells you which
specific user was logged in. It establishes the who, but
it doesn't give you the system wide drive letter mapping.
Speaker 2 (11:22):
You have to correlate the hardware configuration with the user
session to actually prove intent exactly.
Speaker 1 (11:27):
To sum it all up, knowing exactly which drives were
connected to a specific machine is the key to linking
a physical device found at a crime scene to a
digital footprint. You can solve the case even when the
local machine has absolutely zero actual file data left on it.
The structure of the operating system itself is the ledger.
Speaker 2 (11:47):
It really is. So only be you with a final
provocative thought, something to really moll over. Oh this is
good one. We talked entirely about local registries today, but
think about how deeply integrated modern Windows operating systems are
with the cloud. Now. Windows ten and eleven aggressively sync configuration, data, preferences,
and system states to Azure and linked Microsoft accounts.
Speaker 1 (12:09):
All the time for seamless cross device experiences.
Speaker 2 (12:12):
Exactly so, if your local registry highs are continuously being
backed up and synchronized, to the cloud. Does the forensic
footprint of that brief USB connection actually remain confined to
your local hardware?
Speaker 1 (12:23):
Probably not right?
Speaker 2 (12:24):
Or is your localized hardware history now permanently etched into
a remote, distributed cloud ledger sitting on a server somewhere
totally accessible long after you've thrown that physical laptop into
a recycler. Next time you borrow friends flash drive, plug
your phone into a public library computer, or snap a
camera into a work laptop, just remember your digital fingerprint
(12:45):
might be a lot bigger and a lot more permanent
than you think who might be looking for it
Picture this. You're at your desk, right and a coworker
hands you a flash drive with a presentation on it.
Speaker 2 (00:06):
It happens all the time, exactly.
Speaker 1 (00:07):
So you plug it into your computer, you hear that
familiar little hardware shain got them, Yeah, that exact sent
and then you drag the file onto your desktop. You
pull the drive out and hand it back. It feels
totally like ephemeral, like a quick digital handshake, right in
and out. The drive is unmounted, the transaction is over,
and your system resources just go back to whatever they
(00:28):
were doing. But here's the thing. That brief connection wasn't temporary.
Speaker 2 (00:34):
At all, not even a little bit.
Speaker 1 (00:36):
The absolute second you interface that drive with your system,
the operating system generated this permanent, highly detailed footprint very
deep inside its configuration files.
Speaker 2 (00:47):
And it's all driven by caching and you know optimization.
I mean, the operating system doesn't want to reinstall the
whole driver stack from scratch the very next time you
plug that exact piece of hardware.
Speaker 1 (00:57):
It wants to save time exactly.
Speaker 2 (00:58):
It wants to minimize latent, so it saves the hardware profile.
And the byproduct of that efficiency is this massive persistent
log of literally every external device that has ever touched
the machine.
Speaker 1 (01:11):
So today, our mission for this deep dive is to
follow those exact footprints. We're going to uncover the hidden
history of external devices mounted on a Windows machine. Will
explore the actual digital breadcrumbs left behind, the mechanics of
you know, why they exist in the first place, and
how forensic investigators use them to basically solve mysteries.
Speaker 2 (01:31):
And what's fascinating here is the why behind the forensic
side of things. Right in an investigation, say a cybersecurity
incident or something, the actual data on a drive might
be gone, the physical drive itself might be at the
bottom of a lake somewhere literally gone. Yeah, but estalaghing
just the sheer presence of that hardware on a specific
computer at a given time that allows investigators to link
(01:53):
a specific USB drive found at a crime scene directly
back to a suspects machine.
Speaker 1 (01:58):
The machine remembers, it.
Speaker 2 (02:00):
Retains the ghost of the hardware, and that is often
enough to completely crack a timeline wide open.
Speaker 1 (02:05):
Okay, let's untack this because to track these artifacts, we
have to understand what exactly is leaving them. We need
to look at how Windows actually categorizes these devices when
they get plugged in, right.
Speaker 2 (02:17):
Because not all USBs are treated the same by the
system exactly.
Speaker 1 (02:20):
When we're evaluating these endpoints, we're basically looking at three
main types. You've got your standard USB mass storage devices,
removable storage, and then MTP, which stands for Media Transfer
Protocol devices, right.
Speaker 2 (02:33):
And MTP devices are usually things like your digital cameras
or your smartphones.
Speaker 1 (02:37):
And the specific type of device dictates exactly which driver's
windows and stalls. It's almost like, well, think of it
like different vehicles pulling into a secure facility like that. Yeah, so,
like a massive delivery truck which would be your mass
storage device, gets a totally different level of logging and
a different driver assigned to handle it than say a
(02:59):
visitor rolling up up on a bicycle, which would be
the MTP device.
Speaker 2 (03:02):
That's a great analogy because of those different drivers acting
as escorts. The evidence isn't just dropped in one neat
little folder. Examiners actually have to collect details from multiple
scattered locations across a Windows machine to piece together the
full story.
Speaker 1 (03:16):
Which logically brings up the big question, Yeah, so where
exactly is this information hiding?
Speaker 2 (03:22):
Mostly we were talking about the Windows registry.
Speaker 1 (03:24):
The registry the system's hidden guestbook exactly.
Speaker 2 (03:28):
It tracks mounted volumes, it assigns drive letters. It literally
records everything USB, CD rahms, memory cards, cameras.
Speaker 1 (03:36):
So let's do a step by step walkthrough of those
for you listening, because it gets pretty granular. Let's start
with the master ledger, which is the USD store key.
That's usdstr the anchor point right the moment a storage
device connects. A subkey is created here. It tracks the vendor,
the brand, and critically the unique serial number of the device.
Speaker 2 (03:57):
And inside that serial number key, Windows records the very
first time that specific device was attached and the very
last time it was.
Speaker 1 (04:04):
Attached, which is huge for building a timeline. But wait,
if I plug in ten different USB sticks over the
course of a month, won't the system get confused about
which one was like drive E or whatever.
Speaker 2 (04:16):
Well, that transitions us to the next key, which is
mounted devices, And you just hit on a very real
forensic hurdle. Oh really, yeah, The mounted device is key
is what allows investigators to match that serial number we
just found to the specific drive letter the system assigned it, so.
Speaker 1 (04:31):
It links the serial number to E.
Speaker 2 (04:34):
Or f exactly. But to answer your question, yes, the
system reuses drive letters, so the mapped drive letter in
mounted devices will only display the serial number for the
most recently mounted device.
Speaker 1 (04:47):
Ah, so it overwrites the older ones to save space.
Speaker 2 (04:50):
It does drops the historical allocations, so if you had
ten drives, use e, you're only seeing the last one there.
Speaker 1 (04:55):
Okay, so you have the hardware d the serial number,
the drive letter, but none of that tells me who
was actually sitting at the keyboard, Like what if it's
a shared family computer or a shared server.
Speaker 2 (05:04):
And that is why we have the mount points two
key mountpoint Yes, this one is crucial. The other keys
are global, right, but mountpoints two is stored in the
individual nt user dot dot hive. For each user.
Speaker 1 (05:18):
Profile ntusor dot dat Right, it.
Speaker 2 (05:22):
Lists the device IDs connected by a particular user. So
an investigator might have to dig through every single user
profile on that machine to figure out exactly who was
logged in and active when that drive was plugged in. Wow.
Speaker 1 (05:33):
Okay, so it's a multi stage process. And then I
think there's one more piece to the puzzle, right, the
system hive.
Speaker 2 (05:38):
Yes, the system hive provides the vendor and product ID,
and investigators use its last right time on the serial
number key to definitively confirm the last connected time.
Speaker 1 (05:48):
Okay, So for anyone wanting to know exactly where this
master driver file lives on their machine, I'll spell out
the path slowly. You go to your C drive, so
C call in backslash, then the Windows folder backslash, thirty
two backslash drivers backslash, and finally us gerstore dot access.
That's the one but, and this is a massive but
(06:08):
for anyone thinking about looking into this on a live machine,
there is a huge practical caveat here.
Speaker 2 (06:12):
Like absolutely the observer effect.
Speaker 1 (06:14):
Yes, explain what happens if an investigator just walks up
to a suspect's laptop and plugs in their own USB
drive full of diagnostic tools.
Speaker 2 (06:23):
It is a rookie mistake because the very act of
inserting the investigators USB overwrites the environment they're trying to investigate.
Speaker 1 (06:31):
The system treats the diagnostic drive just like any other
drive exactly.
Speaker 2 (06:35):
It generates a new USB store entry, updates the last
connected timestamps in the system hive, and potentially overwrites that
mounted device. Is key we just talked about by seizing
a drive.
Speaker 1 (06:46):
Letter, you literally destroy the evidence by trying to read it.
Speaker 2 (06:49):
You do, which is why you can't just run tools
from a USB on a live system. If you care
about forensic integrity, you have to safely extract the raw
registry hives and analyze them offline.
Speaker 1 (06:59):
Okay, So on that risk of altering evidence, let's talk
about how we actually view this data safely without like
manually digging through thousands of lines of raw registry code.
Speaker 2 (07:08):
Nobody wants to do that manually.
Speaker 1 (07:09):
No way, and that brings us to a specific super
popular utility called usbdview.
Speaker 2 (07:14):
Ah usbdview created by Nearsoft. It's a lifesaver.
Speaker 1 (07:18):
Yeah. So for you listening picture this, you download it
through a browser like Chrome on Windows ten and just
unzipit with seven zip or Winner.
Speaker 2 (07:27):
And the beauty of it is that it requires absolutely
zero installation, right, it has.
Speaker 1 (07:32):
No installation footprint at all. You just run the executable
and boom, this incredibly detailed color coded list appears.
Speaker 2 (07:39):
And that color coding system is what accelerates the whole
triage process.
Speaker 1 (07:43):
Let's walk through the colors. You don't even need to
see the screen to get this. First, you have the gray.
Speaker 2 (07:48):
Lines the ghosts of the past.
Speaker 1 (07:50):
Right, devices that were connected previously but they are not
currently plugged into the machine.
Speaker 2 (07:54):
Then you have green that means the device is currently
plugged in and actively mounted. Basically, it's safe to physically
unplug without digital disconnecting.
Speaker 1 (08:02):
And finally, red lines those represent disabled devices stuff the
operating system has explicitly shut off. It's so intuitive, it
really is, and it's not just colors. By virtually double
clicking any device on that list, you get the actionable
data the last plug and unplugged dates, which is vital
for building a crime timeline, the drive letter, and the
(08:24):
serial number. It aggregates everything from USB store and mounted
devices into one clean matrix.
Speaker 2 (08:31):
But and if we connect this to the bigger picture,
parsing tools are only as reliable as your understanding of
the quirks of the operating system.
Speaker 1 (08:39):
Yeah, you mentioned there's a trap here with the created
date metric.
Speaker 2 (08:42):
It is a massive trap for a rookie investigator. So
the created date usually means the exact time you first
plug the device into a USB port.
Speaker 1 (08:51):
Right, makes sense the first time the system sees it.
Speaker 2 (08:53):
Right, But on a legacy architecture, specifically a Window seven machine,
which believe it or not, is still everywhere in legacy
the enterprise environments. That created date value is completely reinitialized
with the current date and time every single time the
system reboots.
Speaker 1 (09:08):
Wait, really every time it restarts.
Speaker 2 (09:09):
Every single time, the kernel basically rebuilds the device tree
if the hardware isn't actively communicating.
Speaker 1 (09:15):
Oh man, So an investigator could look at usbdview see
a created date of this morning and assume the USB
was just plugged in today.
Speaker 2 (09:25):
Exactly, completely missing the fact that the actual initial intrusion
happened like six months ago.
Speaker 1 (09:31):
That is wild. You really have to know the underlying
OS behavior. But here's where it gets really interesting with
usbdview because it's not just a passive read only tool
for looking at forensic data.
Speaker 2 (09:43):
Right. It has active capabilities.
Speaker 1 (09:44):
Yeah, you can actually use it to uninstall, disconnect, or
completely disable devices directly from the interface. It gives you
administrative control over the system's hardware state.
Speaker 2 (09:54):
Which is super useful for system admins. Yea, if you
have stale driver knows causing conflicts, you can just forcefully
prune the registry of historical devices. It forces the OS
to treat a known device as brand new the next
time you plug it in.
Speaker 1 (10:06):
So it's both a microscope and a scalpel. Okay, we
have covered a massive amount of ground today. We've traced
the entire life cycle of a physical connection, from the
hardware categories down to the registry keys and the tools
used to aggregate the data safely.
Speaker 2 (10:19):
The architecture is dense, yeah, but it leaves a highly
reliable audit trail if you know where to look exactly.
Speaker 1 (10:26):
So let's be a quick review session to test what
you've learned today. Think of it as an auditory pop quiz.
Speaker 2 (10:31):
Let's do it.
Speaker 1 (10:31):
Okay, listener, here's your scenario. You are analyzing an offline
registry hive. You've already found the unique serial number of
a suspicious USB drive. Now which registry key allows investigators
to match that device serial number to the specific drive
letter or volume that was mounted when the USB was inserted?
Speaker 2 (10:50):
A mounted devices, B mounted drives, C mount points two
or D mount disks two.
Speaker 1 (10:57):
Think about which key handles the volume manager's routing table.
Speaker 2 (11:01):
What's the answer.
Speaker 1 (11:01):
The answer is A, the mounted device is key.
Speaker 2 (11:04):
Right, and just remind you why B and D don't
even exist.
Speaker 1 (11:07):
We just made those up right, They are completely fabricated
and see mount points too. That's the one stored in
the NTUS or dot data hive that tells you which
specific user was logged in. It establishes the who, but
it doesn't give you the system wide drive letter mapping.
Speaker 2 (11:22):
You have to correlate the hardware configuration with the user
session to actually prove intent exactly.
Speaker 1 (11:27):
To sum it all up, knowing exactly which drives were
connected to a specific machine is the key to linking
a physical device found at a crime scene to a
digital footprint. You can solve the case even when the
local machine has absolutely zero actual file data left on it.
The structure of the operating system itself is the ledger.
Speaker 2 (11:47):
It really is. So only be you with a final
provocative thought, something to really moll over. Oh this is
good one. We talked entirely about local registries today, but
think about how deeply integrated modern Windows operating systems are
with the cloud. Now. Windows ten and eleven aggressively sync configuration, data, preferences,
and system states to Azure and linked Microsoft accounts.
Speaker 1 (12:09):
All the time for seamless cross device experiences.
Speaker 2 (12:12):
Exactly so, if your local registry highs are continuously being
backed up and synchronized, to the cloud. Does the forensic
footprint of that brief USB connection actually remain confined to
your local hardware?
Speaker 1 (12:23):
Probably not right?
Speaker 2 (12:24):
Or is your localized hardware history now permanently etched into
a remote, distributed cloud ledger sitting on a server somewhere
totally accessible long after you've thrown that physical laptop into
a recycler. Next time you borrow friends flash drive, plug
your phone into a public library computer, or snap a
camera into a work laptop, just remember your digital fingerprint
(12:45):
might be a lot bigger and a lot more permanent
than you think who might be looking for it
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
iHeartRadio 24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.