USB Device History (USBSTOR / MountPoints2)

WindowsFilesystem & TimelineDisk Image

Location

SYSTEM\CurrentControlSet\Enum\USBSTOR and NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Description

Registry keys recording USB mass storage device connections. USBSTOR stores device vendor, product, serial number, and connection timestamps. MountPoints2 records user-specific drive letter mappings for mounted devices.

Forensic Value

USB device history is critical for data exfiltration and insider threat investigations. USBSTOR entries prove a specific USB device (by serial number) was connected to the system with first and last connection timestamps. MountPoints2 provides user attribution showing which account accessed the device. Cross-referencing device serial numbers across multiple systems maps the path of a USB device through the environment. Combined with file access artifacts, this proves what data was transferred to removable media.

Tools Required

KAPERegistry Explorer (Eric Zimmerman)USBDeview (NirSoft)RegRipper

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target RegistryHives

RegRipper

rip.exe -r C:\output\SYSTEM -p usbstor

USBDeview

USBDeview.exe /scomma C:\output\usb_devices.csv

Registry Explorer

Open SYSTEM hive and navigate to ControlSet001\Enum\USBSTOR for device details

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1052.001T1091

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Used in Procedures

Covertly Restrict Insider Threat Actor Access

contain

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote