External Device

External Device is used to track Removable Media activity. Removable Media one of the most prevalent attack vectors for malware and a common ex-filtration tactic for insider threats. Fortunately for us, Windows keeps track of a coniderable amount of data-points regarding USB devices. We can identify the First/Last time a USB was inserted into a host, what drive letter was assigned, and properties about the specific USB device itself such as the vendor, product, and serial number.

Drive Letter and Volume Name

Discover the last drive letter of the USB Device when it was plugged into the machine.

First/Last Times

Determine temporal usage of specific USB devices connected to a Windows Machine.

Key Identification

Track USB devices plugged into a machine.

PNP Events

Track Plug and Play driver installations.

Shortcut (LNK) Files

Opening Local and Remote data files will generate a Shortcut file.

User

Identify the User that used the Unique USB Device.

Volume Serial Numbers

Discover the Volume Serial Number of the File System Partition on the USB.