User

Description: Identify the User that used the Unique USB Device.

Location:

C:\Users\
\NTUSER.DAT
- NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
C:\Windows\System32\Config\SYSTEM
- SYSTEM\MountedDevices\GUID

Notes: This GUID will be used next to identify the user that plugged in the device. The last write time of this key also corresponds to the last time the device was plugged into the machine by that user. The number will be referenced in the user’s personal mountpoints key in the NTUSER.DAT Hive.

Analysis:
Coming Soon!