Release Notes

Version 1.6.3 (01/16/2023)

• • • Added support for identification of potential device volume formats. When a potential format is identified, the date range of the potential format is recorded in the verbose device details and the user is provided with a notice of the event.
    • Added support for identification of the same VSN across different devices (based on serial/UID). Since an identical VSN across different devices will impact LNK file and jump list correlation, the user is notified when this is detected.
    • Added support for parsing EID 6416 from Security event logs. Security EID 6416 requires specific auditing to be enabling and is logged when a device is connected to the system.
    • Added option to skip LNK file and jump list processing.
    • Added serial/UID location to verbose TXT reports.
    • Added comparison check for the serial/UID identified in USBSTOR, USB, and other locations against the “serial number” (aka “SCSI Serial/UID”) reported in event logs such as Partition/Diagnostic. When the two identifiers do not match, the SCSI serial/UID is added to the tool tip that appears when hovering over the serial/UID column of the results grid. In this scenario, the SCSI serial/UID is also added to the top of the verbose details window for the impacted device.
    • Expanded support for device class GUID resolution found in various locations such as Enum\USB and Enum\USBSTOR.
    • Various UI enhancements throughout.
    • Resolved issue in processing some Partition/Diagnostic event logs that previously resulted in a very long processing time.
    • Resolved issue where some smart card readers included in Enum\USB subkey hierarchy could be included in the results.
    • Resolved issue where duplicate device entries may be present when certain devices were identified in Enum\SCSI subkey.
    • Improved correlation and deduplication of devices in the Results Grid.

Version 1.6.2 (03/23/2021)

• • • Added support for identification of exFAT volumes and parsing exFAT VSNs, when available in the Microsoft-Windows-Partition\Diagnostic event log. All exFAT VSNs will also be correlated to any available LNK files and jump lists.
    • Added support for displaying details about additional device MBRs and VBRs (when available) from the Microsoft-Windows-Partition\Diagnostic event log. These details are now included in USB Detective’s verbose view. See this post from @theAtropos4n6 for detail on these additional VBRs.
    • Auxiliary reports (accessed files, interacted directories, and timeline) can now be created even when no USB devices are identified.
    • The Results Grid will now display the most common Volume Name identified for a device (when multiple volume names are identified). Previously, the occurrence count was not used in displaying the volume name.
    • Improved handling of non-removable devices.
    • Resolved issue where certain iPhones were not properly identified in Windows XP.
    • Resolved issue where the source file path of files accessed on a USB device was missing from the verbose details.
    • Various UI enhancements throughout.

Version 1.6.1 (10/28/2020)

• • • Added support for the Microsoft-Windows-Storsvc/Diagnostic event log.
    • Added support for non-removable (e.g. internal) disks to be optionally included in the results.
    • Added support for the SCSI subkey of ‘DeviceMigration’ subkey hierarchy, which includes Storport devices and non-removable devices (when enabled).
    • Added functionality to display default artifact storage locations now available via “?” button in the Select Files/Folders processing window.
    • Automatic check for updates is now enabled. This option can be disabled via Tools > Options.
    • Resolved issue where the wrong timezone abbreviation could be displayed in the Results Grid column header when multiple timezone settings were identified and the “leave in stored format” option was selected during processing.
    • Various logging enhancements throughout.

Version 1.6.0 (11/18/2019)

• • • Added support for processing and reporting on ShellBags from Vista+ systems. ShellBags can be included in the results grid and/or timeline reports for increased visibility into directory interactions. See the USB Detective user guide for more detail.
    • The Processing Statistics window is now available for viewing on-demand after processing completes via the View > Processing Statistics menu option.
    • Improved handling of certain jump lists where the DestList path field does not include a real file path.
    • All timestamps are now displayed in UTC by default (including those in the USB Detective log).
    • Various UI enhancements throughout.

Version 1.5.4 (09/04/2019)

• • • Hostname and Network Share Name are now included in Opened/Accessed files section of the Results Grid report when the “Include LNKs Without VSN” option is enabled. Since enabling this option will cause LNK and jump list references to network shares to be included, the Hostname and Network Share Name are added as additional fields to provide more context to the report record. When creating a timeline report that includes opened/accessed files, the Network Share Name is listed in the Description column of the timeline.
    • Resolved issue where the “Include LNKs Without VSN” option would not be applied to certain jump list records.
    • Various small UI enhancements.

Version 1.5.3 (08/26/2019)

• • • Improved correlation of devices located only in the ‘DeviceMigration’ subkey hierarchy (i.e. removed by a Windows feature update and not connected again).
    • Improved correlation of certain types of UIDs associated with generic USB disks.
    • Improved handling of LNK and jump list record deduplication.
    • Improved handling of jump list records that do not have an embedded VSN but may associated with a removable device.
    • The “Include LNKs without VSN” option now applies to jump list records as well.
    • The “Include Opened/Accessed Files” Results Grid reporting option now defaults to including all LNK file and jump list records, regardless of whether they are associated with a known device.

Version 1.5.2 (08/07/2019)

• • • Resolved issue preventing some hives from being processed when no transaction logs were provided.
    • Resolved issue preventing some SYSTEM and SOFTWARE hives located in a Windows.old directory from being identified when the logical drive or live system processing option was chosen.

Version 1.5.1 (08/06/2019)

• • • Added option to filter LNK file system timestamps that occur on or after a specified date when processing files/folders. This can be useful when providing USB Detective with carved LNK files that do not have reliable file system timestamps and should not be included in a timeline report.
    • If transaction logs are provided and replayed against a registry hive, the primary hive is now processed both with and without replaying the transaction logs. This helps to avoid a scenario where a pending change in the transaction logs removes information related to USB devices.
    • Added options to show/hide the log pane and consistency-level legend.
    • Various small UI enhancements.
    • Resolved issue in the timeline report that caused some timestamps from the Partition/Diagnostic event log to be displayed in UTC instead of their timezone-adjusted value.

Version 1.5.0 (05/29/2019)

• • • Added support for processing and correlation of LNK files and jump lists.
    • Added reporting features for opened/accessed files as identified by LNK files and jump list records.
    • Added log entry to document internal devices that are excluded from the results.
    • Improved support for identifying certain Apple device drivers and descriptions from the Enum\USB subkey.
    • Improved handling of non-Storport devices with all zeroes listed as their S/N.
    • Improved handling of duplicate device timestamps found in the Enum\USB subkey hierarchy across multiple SYSTEM hives.
    • Various reporting improvements, including auto-formatting Excel spreadsheets as tables and removing “USB Detective” from tab names in reports.
    • Various UI improvements.
    • Resolved issue that caused reports to be saved in the current directory of USB Detective instead of the directory specified in the Reports window in some instances.

Version 1.4.1 (04/14/2019)

• • • Added option to append timeline report as an additional worksheet in the Results Grid Excel report.
    • Added “Check All” button to Create Report window. Allows a user to quickly select all options and create all available report types.
    • Device timeline report now saved to the USB Detective case folder instead of the directory from which USB Detective is running.
    • Improved handling of the Microsoft-Windows-Kernel-PnP\Device Configuration event log.
    • Improved handling of devices identified in the DeviceContainers subkey.

Version 1.4.0 (02/12/2019)

• • • Added support for processing live systems. Live system processing includes locked files, volume shadow copies, and all other artifacts supported by USB Detective. See the Live System Processing Quick Start Guide for a walkthrough on leveraging this functionality.
    • Added ability to create per-device timeline reports.
    • Added ability to detect certain types of device or volume encryption when the raw MBR or VBR is available. When detected, the encryption type is listed under the “Additional Attributes” section of the verbose view.
    • Added ability to check for and install software updates from within the USB Detective application.
    • Added option to set/change the case folder from the Set/Change Case Details window.
    • Improved handling of partially corrupt event logs.
    • Improved correlation of data from DeviceMigration subkeys.
    • Various small UI improvements.

Version 1.3.6 (12/13/2018)

• • • Improved correlation of composite devices listed in the Enum\USB subkey hierarchy.
    • Resolved issue where some Storport devices were listed with their ParentIdPrefix in the Results Grid instead of their serial number.
    • Resolved issue with the auto-save log being named with the incorrect month when the default log name was not changed.

Version 1.3.5 (11/28/2018)

• • • Added official support for Storport drives.
    • Added support for identifying multiple volume names associated with external hard drives.
    • Added option to customize or remove the consistency level highlighting.
    • Added ability to change case/evidence name post-processing.
    • Added option to auto-save the USB Detective log file.
    • Added option to set a “case folder” for the default saving location.
    • Added “Processing Statistics” window that is displayed post-processing.
    • Improved correlation of external hard drives with the Windows Portable Devices subkey.
    • Improved parsing of System and Partition/Diagnostic event logs.
    • Improved correlation of devices leveraging the DeviceContainers subkey.
    • Improved correlation for USB composite devices.
    • Resolved issue that caused some setupapi log timestamps to be converted using the displayed timezone settings instead of being left in local time.
    • Resolved issue that caused an error to be displayed in the Select Logical Drive window when no logical drives were available for processing.

Version 1.3.0 (10/03/2018)

• • • Added support for processing and aggregating artifacts from volume shadow copies.
    • Added last drive letter and timezone offset to the Timeline Report.
    • Improved handling of instances where device last connected times are not available.
    • Various UI improvements.
    • Various small bug fixes.

Version 1.2.0 (08/21/2018)

• • • Added support for replaying registry transaction logs. See the user guide for more information.
    • Added ability to specify the case name and evidence number for the data set being processed.
    • Improved support for ambiguous devices identified in DriverFrameworksUserMode/Operational event log.
    • Various UI improvements.
    • Resolved issue that prevented some Windows Vista registry hives from being processed.

Version 1.1.7 (07/25/2018)

• • • Added option to include operating system installation time(s) in the timeline report.
    • Added ability to save multiple device VBRs and MBRs, when available. This option is available via the Results Grid context menu.
    • Added option to include ambiguous devices in the results. Any ambiguous devices identified are logged in the USB Detective log regardless of whether this setting is enabled.
    • Added option to change USB Detective internal log to UTC timestamps instead of local.
    • Improved parsing of USB Attached SCSI (UASP) devices throughout.
    • Improved support for MTP and UASP devices that have been deleted via Windows 10 device cleanup.
    • Improved exclusion of unreliable timestamps in Enum\USB hierarchy. Now supports multiple timestamps that are repeated.
    • Improved correlation of devices identified only by disk ID in the event logs.
    • Improved parsing of MTP devices from event logs.
    • Various UI improvements.
    • Resolved issue in parsing some UMB devices from Windows 8.1 setupapi logs.

Version 1.1.6 (07/11/2018)

• • • Improved support for images mounted using FTK Imager and X-Ways Forensics.
    • Improved correlation of devices in MountedDevices subkey. Allows for identification of multiple drive letters once associated with a USB device.
    • Added detection of the partition style (MBR or GPT) from event logs.
    • Improved setupapi log parsing for fixed devices. Records identifying a device by disk ID can now be parsed if the disk ID is already known. This can increase the number of available connection times associated with a device.
    • Improved setupapi log parsing for MTP devices.
    • Added detection of previous disk signatures for a device.
    • Added detection of previous volume GUIDs for a device.
    • Improved handling of corrupt event logs.
    • Improved handling of partially corrupt SOFTWARE hives.
    • Various small UI enhancements.

Version 1.1.5 (06/25/2018)

• • • Added checks for unreliable timestamps before populating results. If a timestamp is deemed unreliable, it is logged and excluded from the results.
    • Report creation revamped. All reporting functions now available in the Report > Create Report menu option. Allows for multiple report types and formats to be created simultaneously.
    • Added time zone abbreviation added to timestamp column headers.
    • Added button to copy the value in SYSTEM Hive(s) text box to all other text boxes in Select Files/Folders window to prevent the need for repetitive copy/paste.
    • Resolved issue that caused some tool tip information to not be displayed.
    • Resolved issue that caused some VSNs to be displayed in Big Endian.
    • Various UI enhancements.
    • Various small bug fixes.

Version 1.1.0 (04/23/2018)

• • Added support for event logs in Windows 7-10. The following event logs are currently supported (where enabled):
    • System – exposes additional connection times and devices.
    • Microsoft-Windows-DriverFrameworks\UserMode – exposes additional connection/disconnection times and devices.
    • Microsoft-Windows-Kernel-PnP\Configuration – exposes additional connection times, deletion times, and devices.
    • Microsoft-Windows-Partition\Diagnostic – exposes additional connection/disconnection times, device volume serial numbers, and much more.
  • Added ability to save device volume boot record and master boot record for interpretation in other tools (Note: USB Detective parses information from these for correlation/reporting as well).
  • Added option to include device deletion times in Timeline Report.
  • Added option to show 64-bit volume serial numbers (when available).
  • Improved correlation for external hard drives by leveraging information available in event logs with registry-based data.
  • “Other Details” column removed from Results Grid. All information previously available in this column is now available in the Verbose Details view.
  • Various UI improvements.
  • Resolved issue that prevented the results grid from being displayed when certain non-English time zones were identified in the provided SYSTEM hive and the option to adjust timestamps based on the SYSTEM hive was enabled.
  • Various small bug fixes.

Version 1.0.4 (04/06/2018)

• • • Improved handling of corrupt data throughout, including registry hives where the hive signature is in tact but core key hierarchies within the hive are corrupt or missing.
    • “View Other Connection Times” context menu option is now disabled if there are no other connection times available for the selected device.
    • Improved support for Windows XP setupapi logs with alternative formatting.
    • Boot volume of system on which USB Detective is running is no longer shown in the logical drive down-down list.

Version 1.0.3 (03/28/2018)

• • • Export to Timeline added to Reporting options. Timeline includes all timestamp values displayed in the results grid as well as all other connection and disconnection timestamps identified for each device.
    • Timestamps with the same date, hour, minute, and second now deduplicated from the list of other connection and disconnection times. Timestamps in these lists were previously deduplicated based on entire FILETIME value.

Version 1.0.2 (03/21/2018)

• • • Previous connection and disconnection times for each device now available in verbose details or via “View Other Connection Times” context menu option.  Previous connection and disconnection times can be extracted from previous versions of artifacts (available in volume shadow copies, etc.) and in some cases within standalone registry hives.
    • Additional timestamps now evaluated in first connected, last connected, and last disconnected consistency level calculations.
    • First Connected, Last Connected, and Last Disconnected columns of Results Grid are now sortable by date.

Version 1.0.1 (03/15/2018)

• • • Resolved issue with some non-US local system cultures encountering errors during timestamp parsing.

Version 1.0.0 (03/13/2018)

• • Initial release