Ghost USB devices? Windows registry is your friend

Are you a system administrator and suspect one of your users has utilized a USB device, Infringing the company's policies?

Do you share your computer with other persons and fear someone could have copied your files elsewhere?

You can discover it by analyzing the following Windows registry key: HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\.

Every time a USB device is plugged in, a sub-key is created under the above key.

Here is an example of what I found for a forensic lab I've done for my File System Analysis class.

In the MountedDevices key, we can find the letter associated with each device.

Cool, isn't it? Now you only have to add two and two together.