USB Device Connection History
Windows records every USB mass-storage device plugged in, keyed by vendor/product ID and serial number, with first- and last-connection timestamps.
Where to find it
Default filesystem paths and registry locations. Collect these with your preferred live-response or disk-image tooling.
- $HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\
- $HKLM\SYSTEM\CurrentControlSet\Enum\USB\
- $C:\Windows\INF\setupapi.dev.log
- $HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\
Forensic significance
Common scenarios in which this artifact becomes decisive evidence.
- Data exfiltration via USB drive
- Insider threat — proving files copied to personal device
- Malware — USB as initial access vector
- USB serial number cross-referencing across multiple hosts
MITRE ATT&CK mapping
Techniques this artifact can help detect or substantiate. Click a technique to view the official MITRE entry.
Tools that parse it
unJaena AI and other DFIR tools commonly used to extract evidence from this artifact.
Related artifacts
Shell Bags
Windows Explorer view preferences recorded per-folder in UsrClass.dat. Shell Bags prove a user navigated to a folder, even after the folder or attached volume is long gone.
Windows Bluetooth Pairings
Windows records paired Bluetooth devices under HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Devices, preserving MAC and name after unpairing.
Amcache.hve
Compatibility database introduced in Windows 8 that records every PE file executed on the system, including SHA-1 hash, full path, publisher, and first-seen timestamp.
UserAssist
Per-user registry key recording GUI-launched programs with ROT13-obfuscated paths, focus count, and last execution time — proving interactive user execution of a binary.
References & further reading
Stop parsing artifacts by hand
unJaena AI ingests disk images, live-response output, and mobile backups, then automatically correlates every artifact on this page — and 200+ more — into an investigator-ready timeline.
Try unJaena AI →