Post

USB 사용 기록 조사

Posted Updated
By umbum 1 min read
1

Event viewer -> system32 log (%SystemRoot%\inf\Setupapi.dev.log) -> registry

순으로 확인한다. 이벤트 뷰어랑 log는 기록이 누락되어 있는 경우가 잦다. 레지스트리를 직접 보려면 레지스트리 분석 도구를 이용해야 하기 때문에 어차피 도구를 이용할 거라면 USBDeview를 이용해서 보는 편이 낫다.

USB Device Tracking Artifacts on Windows 7, 8(RP)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

 Vendor & Product Name, Version
HKLM\SYSTEM\ControlSet00#\Enum\USBSTOR\Disk&Ven_{Vendor Name}&Prod_{Product Name}&Rev_{Version}

 Vendor ID, Product ID
HKLM\SYSTEM\ControlSet00#\Enum\USB\VID_{Vendor ID}&PID_{Product ID}

 Serial Number
HKLM\SYSTEM\ControlSet00#\Enum\USB\{Vendor ID & Product ID}\{Serial Number}
HKLM\SYSTEM\ControlSet00#\Enum\USBSTOR\{Device Class ID}\{Serial Number}&# 

 Volume Serial Number
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\_??_USBSTOR#{Device Class ID}#{Unique Instance ID}#{GUID}{Volume Label}_{Volume Serial Number} 

 Volume Label
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\_??_USBSTOR#{Device Class ID}#{Unique Instance ID}#{GUID}{Volume Label}_{Volume Serial Number}
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\{Device Entry}\FriendlyName (value) 
HKLM\System\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device Entry}\FriendlyName (value) 

 Drive Letter
HKLM\System\MountedDevices (search for serial number)
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\{Device Entry}\FriendlyName (value)
HKLM\System\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device Entry}\FriendlyName (value)

 Volume GUID
HKLM\SYSTEM\MountedDevices\\??\Volume{Volume GUID} (search for serial number)

 User Name
HKU\{USER}\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{Volume GUID}

 First Connection Time (Last Written Time in registry key)
HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{10497B1B-BA51-44E5-8318-A65C837B6661}\{Sub Keys} 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\{Device Entry} 
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\{Device Entry} 

 First Connection Time After Booting (Last Written Time in registry key)
HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}\{Sub Keys} 
HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}\{Sub Keys} 
HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{6AC27878-A6FA-4155-BA85-F98F491D4F33}\{Sub Keys} 
HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{A5DCBF10-6530-11D2-901F-00C04FB951ED}\{Sub Keys} 
HKLM\SYSTEM\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device Entry}

 Last Connection Time (Last Written Time in registry key)
HKLM\SYSTEM\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device Entry}\Device Parameters 
HKU\{USER}\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{Volume GUID}
Security, Forensic
This post is licensed under CC BY 4.0 by the author.