REGISTRY FORENSICS – ATTACHED DEVICES
Registry Keys track each mounted volume and assigned drive letter used by the NTFS file system. Information concerning any external devices (such as USB devices, CD/DVD ROMs, external memory cards, digital cameras, etc.) that had previously been attached to the system will be recorded in certain Registry Keys. On a live system, “regedit” or “Registry Commander” can be run from a USB device to access these Keys. (Inserting this USB device will also make changes to the Registry). The Keys can be exported directly from a live system and saved as readable text files.

1. MOUNTED DEVICES and STORAGE DEVICES:

• HKLM\SYSTEM\CurrentControlSet\Enum\USB\

The Subkeys are the serial numbers of devices that have been attached to the system. Each of the Subkeys will record the most recent time a USB device was attached and will also provide the date and time that the device was originally attached to the system. For example, the serial number of the Patriot USB device mentioned in the previous column was “093A17A322A6.” Searching for that value provided the following data:

“VID_13FE&PID_1F00”
“Last Write Time: 7/14/2010 - 12:49 PM”

“VID_13FE&PID_1F00\093A17A322A6” Subkeys respectively:
“Last Write Time: 2/19/2012 - 11:55 AM”

“VID_13FE&PID_1F00” is a class identifier. Each of the entries in the Key is specific to a particular make and model of USB device. The “Last Write Time: 7/14/2010 - 12:49 PM” represents the first time that the device was attached to the system. This date does not change when the same device is repeatedly reinserted. The second “Last Write Time: 2/19/2012 - 11:55 AM” represents the last time that the same device was attached to the system and corresponds to the same “Last Write Time” found in the “HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\” Subkey “{53f56307-b6bf-11d0-94f2-00a0c91efb8b}” (which was also identified in the data described previously in “HKLM\SYSTEM\MountedDevices” Key).

• HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\

Whenever any device is connected to a USB port, drivers are queried and a Subkey, which includes the device’s name, is created under this Key. Another Subkey consisting of the serial number of the device is also created. (If the second character is an “&” it is indicative that the device does not have a serial number). The first and last times that each device was attached are also recorded in each Subkey. Searching for the Patriot USB device previously described provided the following data:

“Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP”
“Last Write Time: 7/14/2010 - 12:49 PM”

“Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP\093A17A322A6”
“Last Write Time: 2/19/2012 - 11:55 AM”

These “Last Write Times” are analogous to those discussed above. On a live system, a tool such as “USBDeview” can be used to parse out all the USB storage device information.