Parsing SetupAPI log for fun and profit!
USB device history can be a great source of evidence during a forensic analysis, when an examiner needs to determine if an external device was connected to a system and how USB devices have been used on a given system.
USB device analysis can vary depending on the Windows version and the type of USB device connected: the type of device will dictate which drivers have been installed on the system and how Windows handles the device.
A great source of informations could be the setupapi.log (for Windows Xp/2000/2003) and the setupapi.dev.log (on Windows Vista/7/8).
setupapi.log - Windows XP/2000/2003
Starting with Windows 2000 and then continuing with Windows XP and 2003 the installer system began logging for debug and troubleshooting purposes all of the drivers it loaded for devices.
The log was called setupapi.log and located under %systemdrive%\Windows (more information on this MSDN page: http://msdn.microsoft.com/en-us/library/windows/hardware/ff550882(v=vs.85).aspx)
For more information about interpretation of this log please refer here:
setupAPI.dev.log - Windows Vista/7/8/10
Starting with Windows 7, the setup service log was split into two logs, both in %systemdrive%\windows\inf:
- setupAPI.dev.log - Device and driver installations
- setupapi.app.log - Application installations
The MSDN specification for these two logs can be found here: http://msdn.microsoft.com/en-us/library/windows/hardware/ff550887(v=vs.85).aspx
The device log is similar to the prior version.
In this logfiles are stored all avents related to drivers and devices loaded onto the system with timestamps and which drivers were loaded.
They allows to determine:
- When external devices were plugged in for the first time
- When a malicious driver was loaded onto a system
- What drivers were loaded for an unknown device to determine its functionality
- Proving a device was successfully installed and accessible
How read this logs?
Below a typical example of a text log section that the Plug and Play (PnP) manager created to log entries that pertained to the installation of a PCI device.
>>> [Device Install - PCI\VEN_104C&DEV_8019&SUBSYS_8010104C&REV_00\3&61aaa01&0&38] >>> 2005/02/13 22:06:20.000: Section start ndv: Retrieving device info... ndv: Setting device parameters... ndv: Building driver list... ... ... additional section body log entries, which are not shown ... <<< [2005/02/13 22:06:28.109: Section end] <<< [Exit Status(0x00000000)]
In the section header, the section_title field is "Device Install," the instance_identifier field is the device instance identifier "PCI\VEN_104C&DEV_8019&SUBSYS_8010104C&REV_00\3&61aaa01&0&38," and the time_stamp field is "2005/02/13 22:06:28.109:."
In the section footer, the status_value field is "0x00000000" and the time_stamp field is "2005/02/13 22:06:20.000:."
Only the first three section body log entries are included in this example.
The event level for this example was set to TXTLOG_DETAILS and all category levels were enabled for this example.
For more information, please refers to this Miscrosoft page: https://docs.microsoft.com/it-it/windows-hardware/drivers/install/format-of-a-text-log-section
But, are there some tools to automate this process?
Yes, here a brief list!
Developed by Mark Woan
usbdeviceforensics is a python script to extract numerous bits of information regarding USB devices. It initially used the information from a SANS blog (Rob Lee) post to retrieve operating system specific information.
Developed by Damian Jacobs
This is a Python 3 script that parses a Windows 7 setupapi.dev.log file for USB device install dates. It also searches http://www.linux-usb.org/usb.ids for the vendor and product ID of the USB devices that it finds.
Highlighter is a free utility designed primarily for security analysts and system administrators.
Enscript - setupapi.dev.log
EnCase EnScript was written to parse the Vista/7 'setupapi.dev.log' for USB events.