Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer
Enfuse 2018 | May 21- 24
Learn More

Parse the setupapi.dev.log of USBs

This EnCase EnScript was written to parse the Vista/7 'setupapi.dev.log' for USB events. This log contains a lot of information about hardware events, including when USB devices are attached and can be useful to compare to file metadata to see what filesystem activity was also happening at the same time as when USB devices were connected.

This EnScript will parse the setupapi.dev.log (Windows Vista/7) for USB connected events and display this in the console tab:

2012/11/05 13:15:59.19 [Device Install (Hardware initiated) - USB\VID_152D&PID_2338\22225215C41E]
2012/11/05 13:16:02.34 [Device Install (Hardware initiated) - USBSTOR\Disk&Ven_ST925082&Prod_7AS&Rev_A\22225215C41E&0]
2012/11/05 14:29:23.20 [Device Install (Hardware initiated) - USB\VID_05AC&PID_129C\020ea02b9a9dcd02c6ba5b2531e93ef6f43b5c29]
2012/11/12 10:00:09.68 [Device Install (Hardware initiated) - usb\root_hub\4&2c132b5b&0]
2012/11/12 10:00:09.74 [Device Install (Hardware initiated) - usb\root_hub\4&2adbda92&0]
2012/11/12 10:00:34.82 [Device Install (Hardware initiated) - usb\root_hub\4&31d8afb1&0]
2012/11/12 10:00:46.06 [Device Install (Hardware initiated) - usb\root_hub\4&72de777&0]
2012/11/12 10:00:47.74 [Device Install (Hardware initiated) - usb\root_hub\4&e4160fc&0]
2012/11/12 10:00:49.54 [Device Install (Hardware initiated) - usb\root_hub\4&5e7a9c7&0]
2012/11/12 10:00:51.89 [Device Install (Hardware initiated) - usb\root_hub20\4&1a91b245&0]
2012/11/12 10:00:54.32 [Device Install (Hardware initiated) - usb\root_hub20\4&378216f&0]
2012/11/12 10:00:59.96 [Device Install (Hardware initiated) - USB\VID_04F2&PID_B053\SN0001]
2012/11/16 16:49:18.82 [Device Install (Hardware initiated) - USB\VID_0000&PID_0000\5&30291b88&0&1]

Download Now



Version: 1
Tested with:
EnCase Forensic 7.06
Developer: Jordan venderBuhs
Category: Artifact

2644 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
1326 Downloads
App
Artifact

Windows Installed Application Parser

Parses installed-application information and displays it in a manner similar to Microsoft Windows.
By Simon Key
1217 Downloads
App
Artifact

Cortana Search Decoder

Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon Key
1124 Downloads
App
Artifact

Search For Valid Bitcoin Addresses

This EnScript searches entries and records for valid BitCoin addresses.
By Simon Key
834 Downloads
App