USB Forensics Β· External Storage Attribution

USB Device and External Storage Forensics on Windows

Prove exactly which USB drives, phones, cameras, and external SSDs were connected to a Windows computer, when, and by which user β€” the backbone of trade-secret theft and data-exfiltration cases.

← Canonical HubThis page is part of the Windows Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. USB forensics on Windows combines the SYSTEM hive (USBSTOR, USB, MountedDevices), the SOFTWARE hive (Windows Portable Devices, EMDMgmt on legacy Windows), C:\Windows\INF\setupapi.dev.log for first-plug driver install, per-user NTUSER.DAT MountPoints2 for account attribution, LNK/jump-list references with the volume serial, USN journal entries showing volume-add operations, and event log entries 20001/20003 (device install) plus 6416 (removable device recognized). Together these establish the make, model, unique serial number, drive letter, volume label, first connect time, last connect time, and the specific user account that mounted it.

The core USB artifact chain

ArtifactLocationWhat it establishes
USBSTORSYSTEM\CurrentControlSet\Enum\USBSTORVendor, product, revision, unique serial number for each USB mass-storage device ever attached
USB (non-storage)SYSTEM\CurrentControlSet\Enum\USBPhones (MTP), cameras, printers, HID devices, and hubs
MountedDevicesSYSTEM\MountedDevicesMaps drive letters and volume GUIDs to per-device signatures
Portable DevicesSOFTWARE\Microsoft\Windows Portable Devices\DevicesFriendly name as shown to the user (“KINGSTON”, “Samsung T7”)
MountPoints2NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2Attributes the volume GUID to a specific user profile
setupapi.dev.logC:\Windows\INF\setupapi.dev.logFirst-ever driver install for a given device with timestamp
Event 20001 / 20003System.evtx (Plug-and-Play)Device install event
Event 6416Security.evtxNew external device recognized by the OS
LNK files & jump listsRecent\, AutomaticDestinations\Records opening files from the removable drive’s letter with volume serial

Building a defensible USB timeline

  1. Enumerate USBSTOR and USB subkeys and extract the device serial (the innermost subkey name). Non-compliant devices show an & in the serial position β€” noted in the report.
  2. Extract subkey LastWrite for USBSTOR\Ven_Prod_Rev\Serial\ and its Properties\{83da...}\0064/0066/0067 values, which decode to first-installed, last-connected, and last-removed FILETIMEs on Windows 8 and later.
  3. Cross-reference setupapi.dev.log for the first plug-in on that machine.
  4. Resolve the volume GUID via MountedDevices, then find that same GUID under a user’s MountPoints2 to attribute the mount to a specific account.
  5. Correlate LNK files created around that timestamp β€” LNK stores the target volume’s serial number, so we can prove specific files were opened from the drive.
  6. Query the USN journal and event log 6416/20001 for the OS-level plug-in record.

Windows 8+ per-device timestamps

Under SYSTEM\CurrentControlSet\Enum\USBSTOR\...\Properties\{83da6326-97a6-4088-9453-a1923f573b29}, three subkeys decode to critical timestamps:

  • 0064 β€” First installed (device introduced to this OS)
  • 0066 β€” Last connected (most recent plug-in)
  • 0067 β€” Last removed (most recent safe removal / unplug)

These are stored as raw 8-byte FILETIME little-endian binary values and are among the most durable artifacts on the system β€” they survive registry cleaners and are effectively invisible to end users.

Attribution to a specific user account

Without a user attribution step, USB history proves only that a device touched the machine β€” not who plugged it in. The decisive artifact is MountPoints2 inside each user’s NTUSER.DAT. When a user’s session mounts a volume, Windows writes a subkey named after the volume GUID under that user’s MountPoints2. Cross-matched to MountedDevices, this ties the physical device to a named human account.

Common defense and prosecution questions

  • “Anyone could have plugged it in.” Combine MountPoints2 (per-user), Security 4624 LogonType 2 (interactive session at the same wall-clock time), and LNK file activity to defeat the argument.
  • “The serial number could be reused.” Vendor USB serials are, in practice, unique across a given VID/PID model. Where a serial appears blank or generic, the report flags reduced attribution weight.
  • “They were only browsing.” LNK, jump-list, and USN CREATE-then-CLOSE events for files with the removable drive’s volume serial defeat the “just browsed” claim.

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.

Related Windows forensics pages

Frequently asked questions

Can you tell what files were copied to the USB?

Sometimes. Files copied out leave LNK/jump-list entries on the source machine, USN CREATE + CLOSE with the target volume serial, and RecentDocs entries. If the USB drive is later imaged, the analysis becomes definitive.

What if the USB drive is gone?

The Windows side alone still establishes make, model, serial, first/last connect, user attribution, and β€” via LNK and jump lists β€” the specific files opened from that drive.

Does BitLocker To Go change anything?

The device still appears in USBSTOR and MountPoints2. Encryption prevents recovery of the device’s contents if seized, but does not hide the connection history from the Windows host.

What about smartphones connected as MTP?

Phones appear under SYSTEM\Enum\USB (not USBSTOR) and under Windows Portable Devices\Devices with their friendly name (“iPhone,” “Pixel 8”). MTP file transfers still generate Explorer LNK activity and jump-list entries where files were opened.

Ready to move on your usb device and external storage matter?

Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Microsoft: USBSTOR registry key. learn.microsoft.com
  2. Microsoft: setupapi.dev.log. learn.microsoft.com
  3. SANS: USB Forensics Poster. www.sans.org

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#USBForensics #DataExfiltration #TradeSecrets #WindowsForensics #DFIR #EliteDigitalForensics

Assistant Icon Elite Digital Forensics Assistant
πŸ‘‹ Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.Β 

IMPORTANT: Please remember to check your spam or junk folder