Windows 7 Registry Forensics: Part 6

Fri, 08/10/2012 - 10:53am
John J. Barbara

Registry Keys track each mounted volume and assigned drive letter used by the NTFS file system. Information concerning any external devices (such as USB devices, CD/DVD ROMs, external memory cards, digital cameras, etc.) that had previously been attached to the system will be recorded in certain Registry Keys. On a live system, “regedit” or “Registry Commander” can be run from a USB device to access these Keys. (Inserting this USB device will also make changes to the Registry). The Keys can be exported directly from a live system and saved as readable text files.


• HKLM\SYSTEM\CurrentControlSet\Enum\USB\

The Subkeys are the serial numbers of devices that have been attached to the system. Each of the Subkeys will record the most recent time a USB device was attached and will also provide the date and time that the device was originally attached to the system. For example, the serial number of the Patriot USB device mentioned in the previous column was “093A17A322A6.” Searching for that value provided the following data:

“Last Write Time: 7/14/2010 - 12:49 PM”

“VID_13FE&PID_1F00\093A17A322A6” Subkeys respectively:
“Last Write Time: 2/19/2012 - 11:55 AM”

“VID_13FE&PID_1F00” is a class identifier. Each of the entries in the Key is specific to a particular make and model of USB device. The “Last Write Time: 7/14/2010 - 12:49 PM” represents the first time that the device was attached to the system. This date does not change when the same device is repeatedly reinserted. The second “Last Write Time: 2/19/2012 - 11:55 AM” represents the last time that the same device was attached to the system and corresponds to the same “Last Write Time” found in the “HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\” Subkey “{53f56307-b6bf-11d0-94f2-00a0c91efb8b}” (which was also identified in the data described previously in “HKLM\SYSTEM\MountedDevices” Key).

• HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\

Whenever any device is connected to a USB port, drivers are queried and a Subkey, which includes the device’s name, is created under this Key. Another Subkey consisting of the serial number of the device is also created. (If the second character is an “&” it is indicative that the device does not have a serial number). The first and last times that each device was attached are also recorded in each Subkey. Searching for the Patriot USB device previously described provided the following data:

“Last Write Time: 7/14/2010 - 12:49 PM”

“Last Write Time: 2/19/2012 - 11:55 AM”

These “Last Write Times” are analogous to those discussed above. On a live system, a tool such as “USBDeview” can be used to parse out all the USB storage device information.


In addition to serving as storage devices, many USB devices can be configured to be used as portable desktops. They include applications that run when the device is attached to a computer. To a host system, U3 devices appear as USB Hubs with attached CD drives and USB storage devices. Windows normally will show two drives, a read only volume on an emulated CD-ROM drive and a regular FAT formatted USB drive. The emulated CD-ROM drive contains an Autorun configuration which launches the U3 LaunchPad. Normally, there is a hidden system folder stored in a CDFS partition on the USB drive that contains the applications. The “HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\” Key lists U3 device(s) by their device Class ID, similar to the following:



It is not easy for someone to obfuscate the fact that a particular USB device had been attached to a system. Using the “Registry Commander” tool, a search on a live system for the serial number of the previously mentioned Patriot USB device produced a total of seventy-one hits under seventeen different Keys:

  • HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt\
  • HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\
  • HKLM\SYSTEM\ControlSet001\Control\DeviceClasses\
  • HKLM\SYSTEM\ControlSet001\Enum\STORAGE\Volume\
  • HKLM\SYSTEM\ControlSet001\Enum\USB\VID_111D&PID_0000\
  • HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\
  • HKLM\SYSTEM\ControlSet001\Enum\WpdBusEnumRoot\UMB\
  • HKLM\SYSTEM\ControlSet002\Control\DeviceClasses\
  • HKLM\SYSTEM\ControlSet002\Enum\STORAGE\Volume\
  • HKLM\SYSTEM\ControlSet002\Enum\USB\VID_111D&PID_0000
  • HKLM\SYSTEM\ControlSet002\Enum\USBSTOR\
  • HKLM\SYSTEM\ControlSet002\Enum\WpdBusEnumRoot\UMB\
  • HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\
  • HKLM\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\
  • HKLM\SYSTEM\CurrentControlSet\Enum\USB\VID_111D&PID_0000\
  • HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\
  • HKLM\SYSTEM\ CurrentControlSet\Enum\WpdBusEnumRoot\UMB


• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\ CurrentVersion\Tracing\Microsoft\PlugPlay\SETUPAPI
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\KnownDLLs
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\KnownDLLs
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

These four keys appear to control the “setupapi.dll” file which may determine whether or not logging will occur. The file is located in the “C:\Windows\System32” directory and contains functions used by installation and setup programs. It serves as a dynamic link library controlling the setup, installation, removal, and maintenance of applications and is required for Windows to operate correctly. Specifically, this includes installing and queuing files, logging of files as they are installed, updating the Registry, notifying the user of any installation errors, starting or restarting the computer, copying files, and accessing the routines that control device installation. All of these activities are logged. Any errors or warnings that may arise during a particular activity are also logged and that information can assist with troubleshooting or debugging activities.

• “” FILE:

This file is located in the “C:\Windows\inf\” directory and is text-readable and forensically important. It is essentially a device installation log. Whenever a removable storage device is connected to a computer for the first time, the Plug and Play Manager makes note of the new device’s presence, queries the device for identifying information, creates a class identifier for the device, and locates the appropriate device driver. This information is recorded in the log file. For instance, when the Patriot USB device previously mentioned was connected to a USB port for the first time, the Plug and Play Manager received an event notification, queried the device to develop a class identifier, and attempted to find an appropriate driver:

“[Device Install (Hardware initiated) - USBSTOR\Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP\093A17A322A6]
Section start 2010/07/14 12:49:37.659”

Information from the file provided the device serial number (093A17A322A6) and the date and time the device was first attached (2010/07/14 12:49). A Key was also created under “HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\” which used the device Class ID “Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP.” Under this Key another Key was created which used the serial number of the device. A unique system generated identifier would have been created if the device did not have a serial number.

John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Forensic Evidence” published by Humana Press. He can be reached at


Share this Story

You may login with either your assigned username or your e-mail address.
The password field is case sensitive.