Saturday, August 18, 2012

Tracking USB First insertion in Event logs

The tracking of USB removable disks has been discussed and analyzed in detail with the usual methods of looking at the windows registry for plugged in devices (USBSTOR keys), registry shell bags, SetupApi logs, etc.

A while back researching something else I happened to hit upon an artifact not known for this purpose, the 'Windows Event Log'. The first time a USB device is inserted into your windows PC, it is logged in a little obscure log which is maintained for the 'ReadyBoost' functionality. This is only true for Windows Vista and above, as XP did not have ReadyBoost. For more information on ReadyBoost refer here

Whenever a new drive is connected to a windows system, windows will test that drive's read/write speed by creating a file on that drive and then deleting it. And this result is logged in the ReadyBoost log. From an investigator point to view, this does not give us too much information about the connected disk, but it does give some useful information, notably the name of the disk, sometimes the size (as shown in pic below) and the date/time when device was first connected to that system. This should correlate to the SetupApi log date/time. 

ReadyBoost Operational log under Windows Event Viewer

The messages are usually under EventID 1000-1023 with 1015 and 1016 being irrelevant (performance calculations for booting). It even logs the devices that are not disks such as 3G dongles and non-USB devices such as mounted VHD files with messages such as these:

This was for a partition on a mounted VHD file.
The date/time of log matches the date/time when partition was created.

When a new 3G dongle was plugged in..

When an IronKey was plugged in..

With this artifact, we have one more thing to confirm the date of first insertion of a device. This should be useful in cases where sometimes the registry keys make it difficult to confirm dates or device names/types.

The full path of this event log file on the system is

In the windows event viewer, you can view this log under
'Applications and service logs\Microsoft\Windows\ReadyBoost\Operational'. 


  1. Nice artifact, Yogesh. Given the lack of adoption of ReadyBoost by consumers, I'm guessing we won't see this one after Windows 7.

    This reminds me of one of my favorite Event Log artifacts for removable media: the "UserPnp" events now present in the Windows 7 System Log. Event ID 20001 provides information similar to the, but formatted like the USBSTOR registry key.

    1. I'm happy to report that this Event Log is indeed present in the Windows 8 RTM.

    2. I figured I would share this on here since Chad mentioned it.

      sourcetype=WinEventLog:System EventCode="20001" |dedup Message |rex field=Message "Driver Management concluded the process to install driver (?.*) for Device Instance ID (?.*) with the following status: (?0x0)" |search driver_name="*\disk.inf" NOT driver_name="*\flpydisk.inf" |table _time usb_info status

  2. Thank you so much for share such a wonderful information and ideas. The author clearly describe all the parts of the article and we can easily understand each and every information. Quality articles is the vital to welcome the clients to pay visit the webpage, that’s what this site is giving. quick fund capital

  3. This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value. Im glad to have found this post as its such an interesting one! I am always on the lookout for quality posts and articles so i suppose im lucky to have found this! I hope you will be adding more in the future... poems to a loved one

  4. What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much.
    skin care

  5. Where did u come up with the information on this posting? I have read a few of the articles on your website now, and I really like your style.김포출장아로마
    남양주출장아로마 Thanks a million and please keep up the effective work


  6. Super site! I am Loving it!! Will return once more. I'm taking your sustenance in addition. Thanks
    Boat hire