analyzing-usb-device-connection-history

Featured

Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing USB Device Connection History ## When to Use - When investigating potential data exfiltration via removable storage devices - During insider threat investigations to track USB device usage - For compliance audits verifying removable media policy enforcement - When correlating USB connections with file access and copy events - For establishing a timeline of device connections during an incident ## Prerequisites - Forensic image or extracted registry hives and event logs - Access to SYSTEM, SOFTWARE, and NTUSER.DAT registry hives - SetupAPI logs (setupapi.dev.log) - Windows Event Logs (System, Security, DriverFrameworks-UserMode) - USBDeview, USB Forensic Tracker, or RegRipper - Understanding of USB device identification (VID, PID, serial number) ## Workflow ### Step 1: Extract USB-Related Artifacts ```bash # Mount forensic image and copy relevant artifacts mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence mkdir -p /cases/case-2024-001/usb/ # Registry hives cp /mnt/evidence/Windows/System32/config/SYSTEM /cases/case-2024-001/usb/ cp /mnt/evidence/Windows/System32/config/SOFTWARE /cases/case-2024-001/usb/ cp /mnt/evidence/Users/*/NTUSER.DAT /cases/case-2024-001/usb/ # SetupAPI logs (first connection timestamps) cp /mnt/evidence/Windows/INF/setupapi.dev.log /cases/case-2024-001/usb/ # Event logs cp /mnt/evidence/Windows/System32/winevt/Logs/System.evtx /cases/case-2024-001/usb/ cp "/mnt/evidence/Windows/System32/winev...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-windows-registry-for-artifacts

Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and evidence of system compromise.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-windows-shellbag-artifacts

Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-linux-system-artifacts

Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.

12,642 Updated today
mukul975
AI & Automation Featured

performing-log-analysis-for-forensic-investigation

Collect, parse, and correlate system, application, and security logs to reconstruct events and establish timelines during forensic investigations.

12,642 Updated today
mukul975
AI & Automation Featured

extracting-windows-event-logs-artifacts

Extract, parse, and analyze Windows Event Logs (EVTX) using Chainsaw, Hayabusa, and EvtxECmd to detect lateral movement, persistence, and privilege escalation.

12,642 Updated today
mukul975