How to retrieve USB history and delete them ?(Part-I)

Well!! nowadays we use our USB port to plugin many devices like mp3 players,ipods,pendrives etc,it is also very true that these devices are also vector of  many viruses,trojans and backdoors etc which can be lethal sometimes.Today  I am  going to discuss how we can keep a track of  all the USB devices that  were connected to our computer(WIN Xp / 7 / Vista).This trick can be very helpful in case you find that some data has been stolen  from your PC.

The USB history in a PC can be tracked by two methods:

a)By looking directly into the registry files.

b)Or by using Tool.
Note:Click on the images to zoom them.
Lets first start with Registry file method.

1.First open up  Run and  type "regedit"  and hit enter.

Note:USB history can be found at two places in registry
 --HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
 --HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

2.A registry editor  window open up,in that window follow the steps as shown in the image below.
(Here we will look into the second  registry path mentioned above but you can also try with the first one)
In the above image you can see that after I connected a pendrive and its information is present there in the registry.

So lets  see how we can do this with a tool.The tool that we will be using for this is Nirsofts's USBDVIEW. (Download)

1.Download the Tool  and just run , it will show all the devices that were connected to your PC.

Note:Serial numbers are  unique for external devices but internal devices as you can see have same serial number.

2.Now select anyone of the external device and right click on it and select Properties.It will show you all the details about the external device as shown in the image below.

Now we have retrieved the history of the USB  devices so,lets see how we can delete these history informations.

1.Open up the registry editor window as shown in the above steps then follow the on screen steps as shown in the image below.

2.After completing all the steps in the above image you will be able to delete the registry key or subkey.
By doing this the traces are removed....but still then  it can be detected so we will cover that in Part-II.

Note:For Linux  you can use USBVIEW(Download)

If you find this post  worthy enough to read do drop a comment  it will be appreciated. :)



IF YOU FIND THIS BLOG WORTH READING THEN DO "VOTE" FOR IT........Click here to Vote!
Suggest Article

Subscribe to Posts....

Enter your Email-ID and get "Security Tips and Hacking Tutorials"alert in your inbox,we promise to keep your email private and safe.

comment 12 comments:

Tech Maish on July 26, 2010 at 12:56 AM said...

Very useful tutorial. I will follow the same steps. Thanks for sharing.

Satyajit Das(Admins) on July 26, 2010 at 1:40 AM said...

@Maish welcome to Compufreaks.... :)

Zamibaru on March 25, 2011 at 3:00 AM said...

I can`t delete de subkey. When i try to modify the permision i get "Acces denied". I use win 7 and i have administrator rights on the computer. What can i do?

Mike on August 22, 2011 at 2:56 PM said...

I have the same issue as Zam, even though I am the administrator ?

Gautam said...

Thanks.... but we can trace out the entries yet by using the software. request mention the part-II.

Satyajit (Admins,a.k.a Satosys) said...

@Gautam surely soon I will come up with the part-II please wait.

Keep visting... :)

kirl said...

Hi, can you publish the second part? Very interesting !

Anonymous said...

Hi,

It looks like this post if more than 2.5 years old, is there a Part II or will it never be published.

Prithvi

Rauhan Patwal on December 13, 2012 at 12:29 AM said...

HI can you please explain also in Linux (RHEL6)environment

jayD on December 17, 2012 at 8:02 AM said...

Very intersting...Please do publish the second part

hcom01 on July 12, 2013 at 11:41 PM said...

is there a way to delete all usb history from registry at once?

hara prasad on July 19, 2013 at 2:28 PM said...

Thanks brother....

Post a Comment

This blog is "DoFollow",Use a "Real Name" rather than using "Keywords" otherwise comment will be rejected.

Delete this element to display blogger navbar

 
© 2013 SecurityHunk All Rights Reserved and Template by Fresh Blogger Templates