Let me start by saying that, yes: many tools already exist to parse information out of the Windows Registry and/or the Event Log. However, while I was conducting my own tool validation processes (see https://github.com/khyrenz/tool_validation), I realised that very few tools parse this information out and automatically populate the kind of table that I would be adding into my forensic report.
So... I did a bit of R&D, and I present to you a Python script that does just that; creatively named parseusbs!
You can download the parseusbs script from here: https://github.com/khyrenz/parseusbs
The script uses:
regipy offline Registry hive parser library from Martin G. Korman: https://github.com/mkorman90/regipy/tree/master/regipy
python-evtx Event Log parser from Willi Ballenthin: https://pypi.org/project/python-evtx/
This means that you need to have these dependencies installed for the script to run. You can install them using:
pip3 install regipy python-evtxWhat does the script do, I hear you ask! Well... it parses out either individual Registry hive files, or runs through a mounted volume to find and parse the Registry hives, as well as Microsoft-Windows-Partition%4Diagnostic.evtx and Microsoft-Windows-Storsvc%4Diagnostic.evtx Event Logs. If parsing individual hives, you need to provide the path to the SYSTEM hive. The SOFTWARE and any NTUSER.dat (of which you can provide multiple) hives are optional parameters.
Note: Parsing a mounted volume is the better option here as you'll get more information. The script now also automatically solves Windows permission errors you may have encountered if you used an earlier version of this script, although for this, you need to run the script from a Terminal window that is running as Admin (either Windows Terminal or using WSL).
For reference, the script parses the following data:
SYSTEM\Select\Current -> to get CurrentControlSet
SYSTEM\CurrentControlSet\Enum\USB
SYSTEM\CurrentControlSet\Enum\USBSTOR
SYSTEM\CurrentControlSet\Enum\SCSI
SYSTEM\MountedDevices
SOFTWARE\Microsoft\Windows Portable Devices\Devices
SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Event ID 1006 in Microsoft-Windows-Partition%4Diagnostic.evtx
Event IDs 1001 and 1002 in Microsoft-Windows-Storsvc%4Diagnostic.evtx
You can output the results in key-value pairs or in CSV format. If you chose the CSV format, you also get a bonus file with a timeline showing USB connection and disconnection events (although you will likely need to sort these into date order as they're printed by device).
How to run it...
Get help
python3 parseUSBs.py -h
Parse individual Registry hive files
(In WSL:) python3 parseUSBs.py -s SYSTEM -w SOFTWARE -u NTUSER.DAT
(In Windows CMD:) python parseUSBs.py -s F:/Windows/System32/config/SYSTEM -w F:/Windows/System32/config/SOFTWARE -o csv
Parse mounted volume
(In Windows CMD:) python parseUSBs.py -v F:\
(In WSL:) python3 parseUSBs.py -v /mnt/f
(In WSL - save output to CSV file:) python3 parseUSBs.py -v /mnt/f -o csvusb-info.csv:
usb-timeline.csv:
Comments