I was recently teaching the SANS FOR500 Windows Forensic Analysis class in Canberra and I was asked a question about how we track the connection times for USB devices in the registry:

My answer at the time was, “they are arbitrary” but I thought I should look into it a little bit more, and I’m glad I did! This is also something that was kind of discussed a very long time ago, but I’d not really looked into it myself.

Digging in!

If you go into the Registry, under the USB registry key you can find a series of GUIDs and their subkeys contain hex characters:

Doing some searching for the GUID led me to an interesting file that I didn’t realise has been distributed in the Windows SDK. I’m also realising that I should look at the Windows SDK more often if I want to try figure out details about a thing.

Enter devpkey.h

There’s a file called devpkey.h which is referenced in the Microsoft Learn documentation related to driver installation where you can find the rules around FirstInstallDate, and InstallDate (but I couldn’t find more documentation on the other two). After a little bit of Googling I found the file online in some GISTs and GitHub repo’s (related to WINE), but then realised that I could actually find it in the Window SDK.

After that it was a matter of searching for the key name and finding it referenced clearly describing the namespace and property ids. What might not be obvious here is that the namespace is referenced with commas instead of dashes and the key names for InstallDate, FirstInstallDate, LastArrivalDate and LastRemovalDate are referenced in decimal (100-103) instead of hex (0x64-0x67) like they are in the registry.

Interestingly some of the other subkeys from the Properties key aren’t recorded in the file, but at least I’ve got an answer as to why those hex values are there.

Another point of note – we typically teach people to take 0x64 for first install. This is 99.999% of the time going to be the same as 0x65 which is the actual FirstInstallDate value for USB storage media. This may not hold true for other device types but in a quick poll no one has seen a different value between the two for USB storage media. The USB plugin in Registry Explorer presents both timestamps next to each other so you can compare.