First/Last Times

Description: Determine temporal usage of specific USB devices connected to a Windows Machine.

Location:

• C:\Windows\System32\Config\SYSTEM
  • SYSTEM\CurrentControlSet\Enum\USBSTOR\<Vendor_Product_Version>\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}####

Notes: The SYSTEM hive can be used to identify First, Last, and Removal Times:

• 0064 == First Install (Windows 7/8/10)
• 0066 == Last Connected (Windows 8/10)
• 0067 == Last Removal (Windows 8/10)

Analysis: Using Registry Explorer by Eric Zimmerman, we can load the SYSTEM registry hive and analyze the SYSTEM\CurrentControlSet\Enum\USBSTOR\<Vendor_Product_Version>\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29} key.



We can reference the corresponding subkeys to capture timestamps for when the USB device under examination was utilized. These timestamps are natively stored in 64-bit Hex Windows Time, but Registry Explorer automatically handles the conversion for us and presents the time in UTC format.

The 0064 subkey shows the first install date of the USB device.



The 0066 subkey shows the last time that a USB device was connected.



The 0067 subkey shows the last time that a USB device was removed, regardless of how to USB device was disconnected.