- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Prove exactly which USB drives, phones, cameras, and external SSDs were connected to a Windows computer, when, and by which user β the backbone of trade-secret theft and data-exfiltration cases.
Quick Answer. USB forensics on Windows combines the SYSTEM hive (USBSTOR, USB, MountedDevices), the SOFTWARE hive (Windows Portable Devices, EMDMgmt on legacy Windows), C:\Windows\INF\setupapi.dev.log for first-plug driver install, per-user NTUSER.DAT MountPoints2 for account attribution, LNK/jump-list references with the volume serial, USN journal entries showing volume-add operations, and event log entries 20001/20003 (device install) plus 6416 (removable device recognized). Together these establish the make, model, unique serial number, drive letter, volume label, first connect time, last connect time, and the specific user account that mounted it.
| Artifact | Location | What it establishes |
|---|---|---|
| USBSTOR | SYSTEM\CurrentControlSet\Enum\USBSTOR | Vendor, product, revision, unique serial number for each USB mass-storage device ever attached |
| USB (non-storage) | SYSTEM\CurrentControlSet\Enum\USB | Phones (MTP), cameras, printers, HID devices, and hubs |
| MountedDevices | SYSTEM\MountedDevices | Maps drive letters and volume GUIDs to per-device signatures |
| Portable Devices | SOFTWARE\Microsoft\Windows Portable Devices\Devices | Friendly name as shown to the user (“KINGSTON”, “Samsung T7”) |
| MountPoints2 | NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 | Attributes the volume GUID to a specific user profile |
| setupapi.dev.log | C:\Windows\INF\setupapi.dev.log | First-ever driver install for a given device with timestamp |
| Event 20001 / 20003 | System.evtx (Plug-and-Play) | Device install event |
| Event 6416 | Security.evtx | New external device recognized by the OS |
| LNK files & jump lists | Recent\, AutomaticDestinations\ | Records opening files from the removable drive’s letter with volume serial |
USBSTOR and USB subkeys and extract the device serial (the innermost subkey name). Non-compliant devices show an & in the serial position β noted in the report.USBSTOR\Ven_Prod_Rev\Serial\ and its Properties\{83da...}\0064/0066/0067 values, which decode to first-installed, last-connected, and last-removed FILETIMEs on Windows 8 and later.setupapi.dev.log for the first plug-in on that machine.MountedDevices, then find that same GUID under a user’s MountPoints2 to attribute the mount to a specific account.Under SYSTEM\CurrentControlSet\Enum\USBSTOR\...\Properties\{83da6326-97a6-4088-9453-a1923f573b29}, three subkeys decode to critical timestamps:
These are stored as raw 8-byte FILETIME little-endian binary values and are among the most durable artifacts on the system β they survive registry cleaners and are effectively invisible to end users.
Without a user attribution step, USB history proves only that a device touched the machine β not who plugged it in. The decisive artifact is MountPoints2 inside each user’s NTUSER.DAT. When a user’s session mounts a volume, Windows writes a subkey named after the volume GUID under that user’s MountPoints2. Cross-matched to MountedDevices, this ties the physical device to a named human account.
Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.
Sometimes. Files copied out leave LNK/jump-list entries on the source machine, USN CREATE + CLOSE with the target volume serial, and RecentDocs entries. If the USB drive is later imaged, the analysis becomes definitive.
The Windows side alone still establishes make, model, serial, first/last connect, user attribution, and β via LNK and jump lists β the specific files opened from that drive.
The device still appears in USBSTOR and MountPoints2. Encryption prevents recovery of the device’s contents if seized, but does not hide the connection history from the Windows host.
Phones appear under SYSTEM\Enum\USB (not USBSTOR) and under Windows Portable Devices\Devices with their friendly name (“iPhone,” “Pixel 8”). MTP file transfers still generate Explorer LNK activity and jump-list entries where files were opened.
Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant