USB Device History EnScript
I finally got around to updating my USB device History EnScript to extract some additional information. The EnScript now extracts and lists all previously connected USB devices via the USBSTOR key, then lists all the devices from the DeviceClass keys, then lists all the Mounted Devices, their associated assigned drive letters and then attempts to map a drive letter to any of the previously connected USB devices, if the information still remains.
The output is to the Console tab for now until testing is finished. The output is tab-delimited so it can easily be copied to the clipboard and then pasted to Excel or saved to a file and then imported into Excel.
Tested in Windows 2000, Windows XP, Windows 2003 & Vista
Download Here (v6)
Download Here (v5)
ShareThis
Posts
9 comments:
Hi Lance,
Tried downloading the "USB Device History EnScript (V6)" and am receiving the following error (Which is all "Greek" to me)
Thanks, Jake
sentrydata@chartermi.net
Error: Reference to null CaseClass object in function call: EntryRoot, C:\Documents and Settings\Sentry Data Systems\Local Settings\Temporary Internet Files\Content.IE5\49UJMXW1\USB%20v0.4%20Device%20History[1](1,7054)
Name: USB%20v0.4%20Device%20History[1]
Status: Error
Start: 09/07/08 12:06:34PM
Stop: 09/07/08 12:06:36PM
Time: 0:00:02
Lance, i've been using your USB script for a while in v. 6.13 but i've noticed a problem. On one case i work on, when i ran the script a different number of devices appeared in the first section of the output compared to the second. 2 devices appeared in the first, and 3 appeared in the second. When i looked to determine why by going through the registry, it appeared that the device missing in the first section didn't have a friendly name value. I think this caused the script to skip it in the first section but show it in the second because it doesn't parse that value out. Have you encountered this before? Is it possible to fix this? Thanks for the script. It works great otherwise and i've only had this happen once.
Yaniv,
Can you give me a screen shot of the registry keys (names) to I can check the code to see whay it would be skipped?
You can send to the email listed on the blog front page
Hi Lance, Thank you for posting these Enscripts. I'm trying to run the USB v0.4 Device History script but when I run it, it doesn't go. I don't get an error message and I don't see it run in the lower right-hand corner of the screen. I've tried it in V6.13 and 6.15. Is there a license that I should use?
Thank you,
Phil
Phil,
Be sure and check the Console tab
Lance
Hi Lance, been meaning to post back about this. I started to notice that the drive that contained my E01 would drop after I closed EnCase.
I changed cables connected to that drive and your script worked correctly. Looks like there might have been a problem with my physical connection.
Thanks!
Hey Lance,
Found something that you might be interested in. When the registry doesn't have a USBStor within the Enum directory, the EnScript completes but doesn't report back any information in the Console tab. Found this out with a case I'm working on. Thought something was broken and found that the the folder just wasn't there presumably because there were never any USB devices plugged in. Also, check in Setupapi.log's and found no reference to USBStor there either. Anyway, if you were going to re-open the script, though you might want the option to put in the error handling.
Thanks,
Mike Ciaramitaro
Hi Lance
Your enscript is very usefull for us, so thank you very much for this. But I would like to suggest some extra functionality which make it even more beneficial for us and probably also for others.
The volumes listed in the mountedDevices key can be correlated to the subkeys found in the MountePoint2 key within the user's hive (NTUSER.DAT). this will allow you to see which users or multiple usershad access to the volume and as well as when the volume was originally connected to the system based on the LastWrite timeassociated with the key.
Kind Regards
Keith Custers
Hi Lance! Do you have any scripts for USBSTOR parsing in Windows 7?
Thanks!
Post a Comment