EnScript to parse setupapi.dev.log
This EnCase EnScript was written to parse the Vista/7 'setupapi.dev.log' for USB events. This log contains a lot of information about hardware events, including when USB devices are attached.
This EnScript extracts and displays relevant USB events:
Download here (EnCase v6)
ShareThis
Posts
6 comments:
Hi
I have been trying this enscript but i don't seem to be getting results maybe i am doing it wrong? I'm using Encase 6.19.6, it is a windows 7 device. First off i selected the whole drive and ran the en script...I checked the records tab the bookmarks bar and also the search hits but there are no results. i then selected just the setupapi.dev.log and ran it again and still no joy. when the script runs it goes to the console screen but nothing comes up there either....
any help would be appreciated!
Please send me an email so I can better troubleshoot your issue.
Hi Lance,
Thank you for sharing this enscript with us. I used it on a Windows 7 image and this is 1 of 24 result taken from Encase Console:
12/10/23 08:27:14.65 [Device Install (Hardware initiated) - USBSTOR\Disk&Ven_WD&Prod_3200BEV_External&Rev_1.04\575845313038413830363338&0]
I am looking at the USBSTORE against SYSTEM hives and it showed the USB deivce name, serial number, and Last Write Time (2013-02-19 03:29:54. The serial number matches the above result but the date stamp is different.
Thank you,
Gwen Dang
Gweeeeeennnnnnnn... Nice to hear from you :)
I would definitely expect the timestamp to be different since this log records in real-time with the USB device was connected, which the USBSTOR only has a timestamp associated with the registry key, not necessarily when it was first or last connected.
Very nice enscript. What happens if there are more than 1 setupapi.dev.log file ?
This EnScript only looks for the setupapi.dev.log in the following location:
\windows\inf\setupapi.dev.log
Post a Comment