Parse USB Connection History
The Microsoft Windows operating systems records artifacts when USB removable storage devices (thumb drives, iPods, digital cameras, external HDD, etc.) are connected. These artifacts can be found in Plug and Play (PnP) log files as well as the Windows Registry.
For a forensic investigator dealing with the theft, movement, or access to data, these artifacts can play a critical role in an investigation.
Features
- New: Contains a cached copy of USB ID’s from http://www.linux-usb.org/usb.ids. If available VID/PID values will be looked up to provide additional device information.
- Parses Computer Name to easily help locating USB devices used across multiple computers.
- Displays over 20 attributes
- Wizard driven analysis
- Parses SetupAPI Logs (and backup logs)
- Able to parse multiple NTUSER.DAT files at a time
- Requirements: Microsoft .NET Framework v4.0
- Free for both personal and commercial use
