I have some personal information stored on my laptop, and I suspect that somebody had copied them onto an USB portable flash drive. Is there any method by which I can track down a list of flash drives that my laptop has accessed – namely their brand name, capacity and/or the name of the USB flash drive itself?
Does my Windows 7 computer create history logs of the flash drives that have been plugged in? If so, what other information would this log contain?
I also understand that some USB flash drives would automatically run a driver installation, would that show?
Best Answer
Not really. What happens is that because they comply to a standard specification, Windows can, and does load generic storage and volume drivers for them. It does this whenever you plug in a new drive where “new” means a combination of drive and USB port (i.e., plugging a drive into two different ports causes Windows to detect it as new and (re)-load the drivers twice).
Not as such. There is no log of drives, mostly because there is no actual data about the drives. The drive does contain firmware which usually contains some metadata about it, but there is nothing stopping a manufacturer from putting very little, generic, or even incorrect data in the drive’s firmware.
That said, the Windows registry does retain some pseudo-unique information about peripherals for the purposes of detecting new devices so that it knows whether or not it has drivers for it. The most useful data would be located in the key
HKLM\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume. It will contain the device-IDs of each known storage device that has been attached to the system.You can review the data manually, but a better way would be to use a program that interprets the data and displays them in a more human-readable way such as DevManView or USBDeview.
However, as I said, there is no reason that someone who wants to sneak data couldn’t just use a drive that has generic, blank, or fraudulent data embedded (or just wipe the data from the registry afterwards). In addition, the data may not be completely unique. For example, if you plug a new flash-drive into the system and wait for Windows to install the drivers, then eject it and plug in a different, but identical drive, you may very well notice that Windows does not load new drivers because its “fingerprint” matches.
In the future, you can use USBLogView. It won’t help with past USB-drive activity, but it will log future activity.