When a USB device is plugged into a Windows computer — a thumb drive, an external SSD, even a phone in storage mode — the operating system quietly records it. Long after the device is unplugged and the user thinks the interaction is over, traces of that connection remain stored on the system for months or years.
For most users, none of this matters. For investigators, it matters a lot. USB activity is one of the most common questions we answer at Data Rescue Labs: Did this device ever get connected to this computer? When? How many times? Was data moved off the machine?
Here's a high-level walkthrough of where Windows keeps that information and how forensic examiners pull it.
Where the USB history lives
Windows stores most of its USB device history in the system registry — a hierarchical database that backs the operating system's configuration. Two registry hives matter for this work:
- The SYSTEM hive holds the technical record of every USB device the OS has enumerated. Storage devices (thumb drives, external HDDs, card readers) live in a dedicated section called
USBSTOR; everything else (mice, webcams, dongles, phones in PTP mode) lands underUSBand related enumerators. Each device's section contains its vendor ID, product ID, and device serial number — a unique identifier hardcoded into the device by its manufacturer.
- The SOFTWARE hive holds the friendly, user-visible side of the same record — the name a user would have seen when the device appeared in File Explorer (think "SanDisk (E:)" or similar), along with the drive letter Windows assigned.
These two hives can be cross-referenced using the device serial number. An investigator can move between the technical record and the user-facing record without losing track of the device.
The timestamps
Each device's registry entry contains a small block of timestamps that tell a forensic story:
- First installed — the very first time the device was ever plugged into this computer.
- Last connected — the most recent time it was plugged in.
- Last removed — the most recent time it was unplugged.
These three values, pulled from a single device's registry entry, can establish a timeline that pre-dates and post-dates an incident by months or years. It's not uncommon to discover that a device an investigator believed had been used once was actually connected on multiple separate occasions, spread across a long period of activity.
Supporting artifacts
The registry is the headline source, but it's not the only one. A thorough USB review usually pulls from several places:
setupapi.dev.log— a plain-text Windows log that records the first-ever installation of every device, with timestamps. This is the most authoritative "first connection" source on the system.- Windows event logs — depending on the Windows version, channels such as
Microsoft-Windows-Partition/DiagnosticandMicrosoft-Windows-Kernel-PnP/Configurationcapture per-event records of device arrival and removal, often with the device's full metadata. - Per-user registry data (
NTUSER.DAT) — tracks which user account mounted each device, useful in multi-user environments. - LNK files and Jump Lists — shortcut artifacts that can prove a user opened files that lived on a particular USB drive, even after the drive has been removed.
Together these sources let us answer not only when a device was connected but by whom, what files lived on it, and whether content was moved between the device and the host.
The tools
Most of the registry work is done with Registry Explorer and its command-line companion RECmd, both developed by Eric Zimmerman. These tools read Windows registry hive files at a binary level, replay transaction logs to reconstruct the most current state of the registry, and decode the raw timestamps into human-readable form. They're a de facto standard among digital forensics practitioners.
Why this matters
USB activity questions come up across a wide range of work: IP theft and data exfiltration investigations, insider-threat reviews, regulatory and compliance audits, civil litigation, and incident response. The artifacts described above are quiet, automatic, and difficult to spoof — they're recorded by the operating system itself, without the user's knowledge, every time a device touches the machine.
If your organization has a question about whether a specific USB device was used on a particular computer, when, or by whom, that question is almost always answerable from a properly preserved disk image.
Need to establish whether a USB device was connected to a Windows machine — and when, and by whom? Our Computer Forensics and Corporate Services teams handle this work. Open a case for a privileged consult.