HOW MANY TIMES WAS A USB STORAGE DEVICE CONNECTED TO A COMPUTER?

The Windows operating system stores valuable information about connected Universal Serial Bus (USB) storage devices in the Windows Event Logs which are located in the following file path.

{Drive}:\Windows\System32\winevt\Logs\

To find the number of times that a specific USB storage device has been connected to a suspect computer, review the information available in Microsoft-Windows-Storsvc%4Diagnostic.evtx. It is a significant event log file that contains vital information about connected USB storage devices. The Event IDs 1001 and 1002 contain System related information such as the Timestamp, Device Name and User Identifier, and Event related data such as the Serial Number and Product Identifier which can be used for identifying the specific storage device.

KNOWN SERIAL NUMBER

If you know the serial number of the USB storage device, you can search through the Event Log and make a note of each interaction that the device has had with the suspect computer. Key details that should be noted consist of SystemTime and the number of events that have been logged. Pay attention to the timestamp information as it is presented in the Coordinated Universal Time (UTC) format.

UNKNOWN SERIAL NUMBER

There may be situations where you do not know the serial number of the USB storage device that you are attempting to find. You can try to narrow down the list of possible devices, if you know the vendor or brand name of the USB storage device. The event log contains the ProductID and VendorID entries which may be of assistance. If even this information is unknown to you, the FileSystem entry may be of help, provided that you know what file system the target device is using.

SYSTEM

Provider
[Name] _______ Microsoft-Windows-Storsvc
[Guid] _ {a963a23c-0058-521d-71ec-a1cce6173f21}

EventID _ 1001
Version _ 0
Level _ 4
Task 0
Opcode 0
Keywords __ 0x8000000000000000

TimeCreated
[SystemTime] _ 2022-04-14T16:34:52.1567835Z

EventRecordID _ 480

Correlation
[ActivityID] {8e494d8d-16da-0004-d755-498eda16d801}

Execution
[ProcessID] _ 14980
[ThreadID] 24180

Channel _ Microsoft-Windows-Storsvc/Diagnostic
Computer LAPTOP-6P571J62

Security
[UserID] S-1-5-18

EVENTDATA

Version _ 2
DiskNumber 2
VendorId WD
ProductId _ Elements SE 2623
ProductRevision _ 1026
SerialNumber WXE2A51CSLHZ
ParentId ______ USB\VID_1058&PID_2623\5758453241353143534C485A
FileSystem ____ exFAT
BusType _ 7
PartitionStyle 0
VolumeCount _ 1
ContainsRawVolumes false
Size ______________ 1000170586112

Above are the entries contained in Microsoft-Windows-Storsvc%4Diagnostic.evtx.

HUNGRY FOR MORE?

Cyber Security Misconceptions

Apr 20, 2024

Do you lack the educational background and coding skills required to land a job in the cyber security industry? Several misconceptions exist regarding what it takes to break in! Find out more why you could and should pursue a career in cyber security.

Malware Analysis with ChatGPT

Mar 6, 2023

CHATGPT POWERED MALWARE ANALYSISDuring late 2022 and early 2023, ChatGPT made headlines in the tech industry and everyone caught scent of the excitement! ChatGPT is a truly intriguing example of the capabilities of Artificial Intelligence, and how it can be used in...