The USB connectivity is very common these days. Now, the days of Floppy, CD or DVD has been flown. A lot of computer devices and gadgets uses USB drives to connect to the computer. Because it offers the convenience of immediately initializing the device.
When you insert a USB drive to your system. It requires to install a driver. Other than that, most of the time the USB device will work without even require to install a driver. As we know that the USB is very convenient and easy to use. You can easily transfer your data from one device to another. You can also store some data if there is a storage issue in your system.
Although convenient, USB also poses a security risk as well. Someone can easily steal a huge amount of data out of the computer. Stealer can steal your data by just plugging in a really fast 128GB USB flash drive. Locking up the computer when you are away from the computer should stop this from happening.
But, what if you forget to lock your device. Sometimes we become more careless and hardly take care of our system. In this case, USB drive can be a major risk.
Here the point is Windows can be helpful if this happens to you. Windows keeps a history of all connected USB device not for the sake of forensics. But, also for performance purposes.
Here are some free tools that reveal all USB devices that were connected to your computer.
USBDeview– View USB drives
It is a simple and portable tool. USBDeview offers a lot of information on the USB devices. You can get all the details of the USB devices that are currently and previously connected to the computer.
If you want to look for connected USB flash drives or external hard drives. Sort the Device Type by clicking on the column and look for Mass Storage.
If you want to see the exact date and time then double click on the device. Here you can see when the device was first connected and the last time plugged in to the computer.
USBDeview is not only used for the information of the all connected USB devices. But, it is also used for troubleshooting USB connection problems. Simply right click on the problematic USB device and select “Uninstall Selected Devices”.
Uninstalling the device will cleanup the traces so that the USB device can be reinstalled automatically. It also correct and update the settings. It is also possible to block the USB device from working in future by disabling it in the program.
Advanced users would prefer to use USBDeview because it comes with a lot of options. As these options may be difficult for a normal user. It uses command line support, executing custom commands when a USB device is inserted or unplugged. And even the option of powering off the USB device when it is safely removed.
It is also a free tool which is normally used to see the USB History. You can see all the details of USB mass storage devices such as flash drive or an external hard disk. The advantage of USB History Viewer is it also support other computers on the local network if provided a valid authentication.
Running this tool will by default show LOCALHOST for the computer name and that would not work. You will need to either specify your computer name, internal IP address. Or, alternatively clicking on the browse button to select your computer from the list.
Once you have provided the computer name, click on the Start button and the history will be displayed in a few seconds. To download this tool, you will need to provide a valid email address. You will get the download link on your email address.
Since this is a portable program, it is important to mention that it does not leave any traces in the Windows Registry. You can copy it on any USB flash drive or other devices. Since it does not require much computer knowledge to work with this tool. Even less experienced users can master the entire process with just a few clicks.
USB History Viewer accomplishes a task quickly and without errors throughout the entire process. It does not eat up a lot of CPU and memory, so the overall performance of the computer is not hampered. It also offers a simple yet powerful software solution for helping you view a list with the USB flash drives that have been mounted on a computer.
You can also find the history of your USB Drives by using registry key or Powershell. Whenever we insert a USB drive into a computer, a registry key with the name “USBSTOR” is created. This registry key stores information about that USB device, and whatever information the OS needs to know can be found in this registry key.
Finding the USB Attachment History
To find the USB history of your device, take the following steps:
1: Go to Run and type “Regedit”.
2: In the registry, go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR, and there, you will find a registry key with the name “USBSTOR.”
3: Click on the USBSTOR key, you can get a list of all the USB devices that have been connected to this computer.
We can see that there are a lot of USB devices that have been connected to this machine, but this does not tell what kinds of device they are. To find out, follow the next step.
4: Click on any one device from the list and click on the subkey on the right side. You will find an entry with the name “friendly name.” Just in front of this entry, you can easily see what type of USB device this is.
Getting USB History With Single Powershell Command
You can also get all this information by just using a single command. To do this, open PowerShell and type “Get-ItemProperty -Path HKLM:SYSTEMCurrentControlSetEnumUSBSTOR** | Select FriendlyName.” Then press enter, and you will get the history of all USB devices that have been used on your computer.
So this was just basic information about USB forensics to get the USB connection history on your Windows machine.