Course 36 - Windows Forensics and Tools | Episode 13: Decoding Registry Artifacts and Connection History

In this lesson, you’ll learn about: Windows USB forensics and how external device activity is tracked through the Windows Registry1. What Is Windows USB Forensics?USB forensics focuses on identifying and analyzing traces left by:USB flash drivesExternal hard drivesDigital cameras and mobile storage devices🔹 Key IdeaEven after a device is unplugged or removed, Windows keeps permanent evidence of its connection.2. Why USB Devices Leave Forensic EvidenceWhen a USB device is connected, Windows automatically:Logs device identityStores serial numbersRecords connection historyLinks devices to specific users🔹 Forensic ValueThis allows investigators to reconstruct:Who used the deviceWhen it was connectedWhat machine it was connected to3. USBSTOR Registry Key (Device Identity Tracking)🔹 What it isA registry location that stores details of USB storage devices🔹 What it recordsVendor name (e.g., SanDisk, Kingston)Product modelUnique serial number👉 Key InsightThis is the digital fingerprint of every USB device ever connected4. MountedDevices Key (Drive Letter Mapping)🔹 What it isLinks physical USB devices to assigned drive letters (E:, F:, etc.)🔹 What it revealsWhich USB got which drive letterHow Windows mapped the storage at connection time👉 Key InsightHelps reconstruct how the system interacted with external storage5. MountPoints2 Key (User-Level Evidence)🔹 What it isStores per-user information about mounted devices🔹 What it revealsWhich user connected the deviceAccess history from user profile perspective👉 Key InsightConnects USB activity directly to a specific Windows user account6. Forensic Significance of USB Artifacts🔹 What investigators can determine:First time a device was plugged inLast time it was usedFrequency of usagePossible data transfer activity👉 Key InsightUSB history helps build a complete behavioral timeline of data movement7. USBDeview Tool (Practical Analysis)🔹 What it doesAutomatically extracts USB history from the system🔹 What it showsDevice name and modelSerial numberFirst/last connection timePlug/unplug events👉 Key InsightTurns raw registry data into readable forensic evidence8. Live System Analysis Considerations🔹 When analyzing active systems:Registry must be extracted carefullyEvidence integrity must be preservedAvoid modifying timestamps or device traces👉 Key InsightLive analysis requires strict forensic discipline to avoid contamination9. Linking USB Devices to Real-World Activity🔹 Investigation process:USB device → Registry traces → User account → Timeline reconstruction👉 Key InsightThis allows investigators to connect a physical device to a specific suspect machineKey TakeawaysWindows permanently records USB device history in the registryUSBSTOR stores device identity and serial numbersMountedDevices maps USBs to drive lettersMountPoints2 links devices to specific usersTools like USBDeview simplify forensic extractionYou can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy