Tuesday, 9 October 2012

How to retrieve USB history and delete them ..?(Part-I)

 
Well!! nowadays we use our USB port to plugin many devices like mp3 players,ipods,pendrives etc,it is also very true that these devices are also vector of  many viruses,trojans and backdoors etc which can be lethal sometimes.Today  I am  going to discuss how we can keep a track of  all the USB devices that  were connected to our computer(WIN Xp / 7 / Vista).This trick can be very helpful in case you find that some data has been stolen  from your PC.

The USB history in a PC can be tracked by two methods:

a)By looking directly into the registry files.

b)Or by using Tool.
Note:Click on the images to zoom them.
Lets first start with Registry file method.

1.First open up  Run and  type "regedit"  and hit enter.

Note:USB history can be found at two places in registry
 --HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
 --HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

2.A registry editor  window open up,in that window follow the steps as shown in the image below.
(Here we will look into the second  registry path mentioned above but you can also try with the first one)
In the above image you can see that after I connected a pendrive and its information is present there in the registry.

So lets  see how we can do this with a tool.The tool that we will be using for this is Nirsofts's USBDVIEW. (Download)

1.Download the Tool  and just run , it will show all the devices that were connected to your PC.

Note:Serial numbers are  unique for external devices but internal devices as you can see have same serial number.

2.Now select anyone of the external device and right click on it and select Properties.It will show you all the details about the external device as shown in the image below.

Now we have retrieved the history of the USB  devices so,lets see how we can delete these history informations.

1.Open up the registry editor window as shown in the above steps then follow the on screen steps as shown in the image below.

2.After completing all the steps in the above image you will be able to delete the registry key or subkey.
By doing this the traces are removed....but still then  it can be detected so we will cover that in Part-II.

No comments: