Whilst teaching evidence of USB connections in FOR500, a student asks an awesome question: What evidence is left behind if a USB is connected when no user is logged into the system? Mind blown! My gut says that either:
No USB connection artifacts will be recorded, or
Because Windows still 'pings' when you connect the USB even if not logged in, a driver install is happening, so you might get the system USB artifacts, but not any user-specific data.
But ultimately, no idea! So, let's find out... I'm currently logged into my Windows 10 SIFT workstation, so I restart and don't login when it reboots. I then connect a few different random USB devices that I know haven't ever been connected to that VM before. I then login and open up trusty Registry Explorer. Working my way through the External Device/USB Usage section on the Red Poster & I didn't find what I expected to find!
Artifact | New USB device added? |
SYSTEM\CurrentControlSet\Enum\USBSTOR | Yes |
SYSTEM\CurrentControlSet\Enum\USB | Yes |
C:\Windows\inf\setupapi.dev.log | Yes |
SYSTEM\MountedDevices | Yes (mounted as E:/) |
SOFTWARE\Microsoft\Windows Portable Devices\Devices | Yes |
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 | YES (last logged-on user) |
Because I found that user-based artifact in NTUSER.DAT, I created a second local account on the VM, logged in using that account, then rebooted the system and repeated the test. Sure enough, the NTUSER.DAT artifact was created in the new account profile this time and not the original account. This therefore looks to record the USB GUID in the profile of the last logged-in user. But wait, what if Windows doesn't actually log the user account out when the system reboots. Technically then, a user account is still logged-in, which would explain what's happening. Third test: I manually log out of both accounts (right-click on profile icon -> Sign out), reboot the system and repeat the test. Aha! The results I was expecting (option 2)...
Artifact | New USB device added? |
SYSTEM\CurrentControlSet\Enum\USBSTOR | Yes |
SYSTEM\CurrentControlSet\Enum\USB | Yes |
C:\Windows\inf\setupapi.dev.log | Yes |
SYSTEM\MountedDevices | Yes (mounted as E:/) |
SOFTWARE\Microsoft\Windows Portable Devices\Devices | Yes |
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 | No |
So, it seems the answer is 'It Depends'. What a surprise! Windows doesn't log the current user out of the system when it's rebooted, so if a USB device is connected before the password is entered on reboot, the USB device connection will be attributed to the still-logged-in user account (the last one logged-in if more than one user is logged-in). However, if the user clicks on 'Sign out' to actually log out of their account, no user-related artifact will be left in their NTUSER.DAT MountPoints2 registry key. You will still see that the USB device has been connected, you just won't see that connection being attributed to a specific user account. UPDATE 2021-10-09 I had a follow-on question on Twitter: If you are logged-in and reboot the system, then connect a USB device, then log in as a different user... does the USB get added to both user's NTUSER.DAT hives? No idea! Love the question; let's find out! Long story short, I did six tests in total:
the first two tests (using the two existing user accounts on the VM) resulted in the USB being written only to the NTUSER.dat hive for the first user, so the one that rebooted the system before the USB was connected
the next three tests (using two new user accounts - one 'admin', one 'standard') resulted in the opposite; the USB was only written to the NTUSER.DAT hive for the second user, so the one that logged in following the reboot, with the USB already connected
the last test (using one of the new accounts & one of the existing accounts) resulted in the first outcome; the USB was recorded in the NTUSER.DAT hive for the first user account, which rebooted the system
TDLR: No! It will only be added to one of the user's hives, but which one seems inconsistent. Thanks Microsoft! As an interesting aside, I checked out the Event Logs and found ID 4624 events (logon type 2) after reboot for the user account that initiated the reboot, confirming that Windows does indeed automatically re-login the user that was logged in when the system was rebooted. In all of my tests, this was followed a short time later by the actual logon I performed, to the other user account. I've now run out of USBs to connect to this system 'for the first time', so I'm done!