Figure 1: List of some USB devices plugged into a recent Windows 7 computer
After obtaining a list of used devices, you need to determine whose devices they are. This can be done but there must be some additional steps. In the registry, first visit HKLMSYSTEMMountedDevices . Within this area, you can search for the serial number of the device in question. After finding the serial number, this key will give you the GUID associated with the device.
After obtaining the device GUID, you need to focus on personal profile on the computer. Inside each users profile folder (C: Users) there will be an NTUSER.DAT file. This file can be opened with the system registry editor with administrator privileges. To bind certain users to any device, you need to browse to the directory below inside NTUSER.DAT hive: SoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2 . Here you can search the GUID of the device in question. If it is found, the user is logged in when the USB device is plugged into the system. Note that this search must be done for all users on the system when trying this type of correlation.
Figure 2: Searching in the NTUSER.DAT file to determine the USB GUID
One of the most important aspects of research is finding the timing of events around the thing being investigated. The important thing to know here is when the suspect USB is connected or disconnected from the system.
Determining when the device is first connected to the system is quite easy in case you already have its serial number (how we did it in the previous steps). With that information, go to file C: Windowsinfsetupapi.dev.log and perform a search for that serial number, when you will know when it was first plugged into the system.
Figure 3: Search in the setupapi.dev.log log file to determine when the USB device was first plugged into the system
On the other hand, we also need to determine when the device is most recently connected to the system. To access this information, we just need to look in the registry at HKLM / System / CurrentControlSetEnumUSBVID_12345 & PID_12345 , replacing '12345' here with the company name and the product ID we have obtained from the previous step. Here, you can export the registry key as a text file to see when the latest key was written. This is done by clicking File, then Export from within regedit, when the key is selected.
Figure 4: Determining the last time the USB was connected from the registry
Automatically extract
In addition to finding the information above, there are many tools that can help you do this.
The two tools we introduced here are USBDeview and Windows USB Storage (USBSTOR) Parser. The first tool, USBDeview has a GUI interface, can extract and display the information we can find by manual method above. This is a free utility and you can download it here. The second tool we mentioned has similar functionality and can run on both Windows and Linux. You can download that tool here.
Figure 5 :: Use USBDeview to view files generated by USB plugging
Conclude
Unless in a complete environment with no USB devices, we may not have to pay attention to how these devices relate to system security. It is almost impossible, so we think this article has a lot of useful knowledge that can help you find the cause of things.