Parse the setupapi.dev.log of USBs
This EnCase EnScript was written to parse the Vista/7 'setupapi.dev.log' for USB events. This log contains a lot of information about hardware events, including when USB devices are attached and can be useful to compare to file metadata to see what filesystem activity was also happening at the same time as when USB devices were connected.
This EnScript will parse the setupapi.dev.log (Windows Vista/7) for USB connected events and display this in the console tab:
2012/11/05 13:15:59.19 [Device Install (Hardware initiated) - USB\VID_152D&PID_2338\22225215C41E]
2012/11/05 13:16:02.34 [Device Install (Hardware initiated) - USBSTOR\Disk&Ven_ST925082&Prod_7AS&Rev_A\22225215C41E&0]
2012/11/05 14:29:23.20 [Device Install (Hardware initiated) - USB\VID_05AC&PID_129C\020ea02b9a9dcd02c6ba5b2531e93ef6f43b5c29]
2012/11/12 10:00:09.68 [Device Install (Hardware initiated) - usb\root_hub\4&2c132b5b&0]
2012/11/12 10:00:09.74 [Device Install (Hardware initiated) - usb\root_hub\4&2adbda92&0]
2012/11/12 10:00:34.82 [Device Install (Hardware initiated) - usb\root_hub\4&31d8afb1&0]
2012/11/12 10:00:46.06 [Device Install (Hardware initiated) - usb\root_hub\4&72de777&0]
2012/11/12 10:00:47.74 [Device Install (Hardware initiated) - usb\root_hub\4&e4160fc&0]
2012/11/12 10:00:49.54 [Device Install (Hardware initiated) - usb\root_hub\4&5e7a9c7&0]
2012/11/12 10:00:51.89 [Device Install (Hardware initiated) - usb\root_hub20\4&1a91b245&0]
2012/11/12 10:00:54.32 [Device Install (Hardware initiated) - usb\root_hub20\4&378216f&0]
2012/11/12 10:00:59.96 [Device Install (Hardware initiated) - USB\VID_04F2&PID_B053\SN0001]
2012/11/16 16:49:18.82 [Device Install (Hardware initiated) - USB\VID_0000&PID_0000\5&30291b88&0&1]
EnCase Forensic 7.06