Understanding USB/attached devices
There are several security risks associated with a USB device. They are small, portable, high-capacity storage devices that can be used to exfiltrate data from an organization, or they can be used to deliver malware to an organization to compromise its security protocols. As a digital forensic investigator, you will want to know whether there were any USB devices attached to the host you are examining. We will now talk about some Windows system artifacts that will allow you to identify USB device usage on the host.
We will now look at the results for two registry keys. The first key can be found at the following path:
SYSTEM\CurrentControlSet\Enum\USB
This registry key identifies the USB devices attached to the system, as shown in the following output:
usbdevices v.20140416 (System) Parses Enum\USB key for USB & WPD devices VID_0781&PID_5580 LastWrite: Tue Mar 27 09:22:21 2018 SN : AA010215170355310594 LastWrite: Tue Mar...