Menu

USB Historian

We’ve been quietly developing digital forensics tools and forensic software to assist in our analysis for almost 10 years, and until recently, all of that source code has been sitting around and collecting dust.  As time permits, we will be dusting it off, adding some updates, and releasing some of it to the public.

Think of it as our way of saying thank you to everyone who has written articles, published research, or contributed software/code to the forensic community.

These utilities are provided “as-is” and are free for both personal and commercial use. As with any software, including ours, you should always independently validate your findings.  Oh, and if you find any of our utilities useful, feel free to drop by @chadgough or @4Discovery on Twitter and say thanks. Bug reports and feature requests are always welcome!

Parse USB Connection History

The Microsoft Windows operating systems records artifacts when USB removable storage devices (thumb drives, iPods, digital cameras, external HDD, etc.) are connected. These artifacts can be found in Plug and Play (PnP) log files as well as the Windows Registry.

For a forensic investigator dealing with the theft, movement, or access to data, these artifacts can play a critical role in an investigation.

Features

  • New: Contains a cached copy of USB ID’s from http://www.linux-usb.org/usb.ids. If available VID/PID values will be looked up to provide additional device information. 
  • Parses Computer Name to easily help locating USB devices used across multiple computers.
  • Displays over 20 attributes
  • Wizard driven analysis
  • Parses SetupAPI Logs (and backup logs)
  • Able to parse multiple NTUSER.DAT files at a time
  • Requirements: Microsoft .NET Framework v4.0
  • Free for both personal and commercial use

Screenshots

USB Historian

USB Historian v1.3 - Released 07-24-2013

Download Now

v1.3 (07-24-2013)

  • *New:* Contains a cached copy of USB ID’s from http://www.linux-usb.org/usb.ids. If available VID/PID values will be looked up to provide additional device information. 
  • You can now parse multiple sources. Results will be appended to the existing results or optionally cleared.
  • Fixed crash when VID/PID values were missing

References: