USB Device History (USBSTOR / MountPoints2)

windowsFilesystem & TimelineDisk Image

Location

SYSTEM\CurrentControlSet\Enum\USBSTOR and NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Description

Registry keys recording USB mass storage device connections. USBSTOR stores device vendor, product, serial number, and connection timestamps. MountPoints2 records user-specific drive letter mappings for mounted devices.

Forensic Value

USB device history is critical for data exfiltration and insider threat investigations. USBSTOR entries prove a specific USB device (by serial number) was connected to the system with first and last connection timestamps. MountPoints2 provides user attribution showing which account accessed the device. Cross-referencing device serial numbers across multiple systems maps the path of a USB device through the environment. Combined with file access artifacts, this proves what data was transferred to removable media.

Tools Required

KAPERegistry Explorer (Eric Zimmerman)USBDeview (NirSoft)RegRipper

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical