HKLM SYSTEM USBSTOR\..\..\Properties is the location in the registry that holds the keys containing USB last insertion and last removal timestamps as "last written time".
I could not figure out how to parse registry hives in PowerShell without loading them in the registry which, would make the "properties" inaccessible.
So I decided to do this in python. Use the first USB post to do this manually.
I have used the Regipy library for this along with Prettytable, lol. Please update the hive path in the script before running.
from datetime import datetime, timedelta
from regipy.registry import RegistryHive #pip install regipy
from prettytable import PrettyTable #pip install PrettyTable
WIN32_EPOCH = datetime(1601, 1, 1)
def dt_from_win32_ts(timestamp):
return WIN32_EPOCH + timedelta(microseconds=timestamp // 10)
#upadate location of offline saved hive
reg = RegistryHive ('C:\\path\\to\\hive')
def get_disk_id():
diskid=[]
for disk_id in reg.get_key('SYSTEM\\ControlSet001\\Enum\\USBSTOR').iter_subkeys():
diskid.append(disk_id.name)
return diskid
def get_serial_id(diskid):
serialid=[]
for ser in reg.get_key('SYSTEM\\ControlSet001\\Enum\\USBSTOR\\'+diskid).iter_subkeys():
serialid.append(ser.name)
return serialid
def get_last_insert_id(diskid,serialid):
last_inser_time=''
for ser in reg.get_key('SYSTEM\\ControlSet001\\Enum\\USBSTOR\\'+diskid+'\\'+serialid+"\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}").iter_subkeys():
if ('0066' in ser.name):
ts=ser.header.last_modified
dt = dt_from_win32_ts(ts)
utc_time =dt.strftime('%Y-%m-%dT%H:%M:%S.%f')
last_inser_time= utc_time
return last_inser_time
def get_last_removal_id(diskid,serialid):
last_remove_time=''
for ser in reg.get_key('SYSTEM\\ControlSet001\\Enum\\USBSTOR\\'+diskid+'\\'+serialid+"\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}").iter_subkeys():
if ('0067' in ser.name):
ts=ser.header.last_modified
dt = dt_from_win32_ts(ts)
utc_time =dt.strftime('%Y-%m-%dT%H:%M:%S.%f')
last_remove_time= utc_time
return last_remove_time
def get_first_insert_id(diskid,serialid):
first_insert_time=''
for ser in reg.get_key('SYSTEM\\ControlSet001\\Enum\\USBSTOR\\'+diskid+'\\'+serialid+"\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}").iter_subkeys():
if ('0003' in ser.name):
ts=ser.header.last_modified
dt = dt_from_win32_ts(ts)
utc_time =dt.strftime('%Y-%m-%dT%H:%M:%S.%f')
first_insert_time= utc_time
return first_insert_time
def get_easy_name(diskid,serialid):
easy_name=''
t= (reg.get_key('SYSTEM\\ControlSet001\\Enum\\USBSTOR\\'+diskid+'\\'+serialid).get_values(as_json=True))
for jt in t:
if ("FriendlyName" in jt.name):
easy_name= jt.value
return easy_name
def get_usb_history():
x = PrettyTable()
x.field_names = ['easy_name', 'SerialID','Last_Insert_Time','Last_Remove_Time','First_insert_time','InstanceID']
for diskid in get_disk_id():
for serialid in get_serial_id(diskid):
lit=get_last_insert_id(diskid,serialid) #last insert time of usb in utc
lrt=get_last_removal_id(diskid,serialid) #last removal time of usb in utc
fit=get_first_insert_id(diskid,serialid) #first insert time of usb in utc
easy_name=get_easy_name(diskid,serialid)
x.add_row([easy_name,serialid.rsplit("&",1)[0],lit,lrt,fit,diskid])
print(x)
get_usb_history()
And the output is coming soon...
References
https://github.com/mkorman90/regipy
References
https://github.com/mkorman90/regipy
No comments:
Post a Comment