When sifting through the evidence of USB devices on a machine, an important factor is identifying when each device was used. This is a key part of putting a user behind the keyboard or when we need to be able to correlate the USB activity to other personally identifying activity on the device.
The first time a USB device is plugged into a machine it is logged in the setupapi.log file. We can use a suspicious device’s serial number to find it’s entry in this log which then gives us the time the device was first connected, in the timezone of the local machine.
Another location of interest is the System Hive USBSTOR. This location gives us greater insight into the activity of USB devices as it contains three entries, the first install, last connected, and last removed sections which gives us greater detail than the setupapi.log.
Another method is the use of shortcut LNK files. When a file on a USB drive is accessed, link files are created. They reference the name of the file opened, the time, and the path of the file which includes the drive letter and volume name. This has the potential to give us a more detailed timeline of the USB device on the machine than the other sections discussed but requires particular activity for these artifacts to be generated.