// TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing
function print_table_row(cell01,cell02) {
println(" | ",cell01," | ",cell02," |
");
}
// Global vars
var val;
// Get current controlset
var cur_controlset=GetRegistryKeyValue("\\Select","Current");
cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
// Current holds a DWORD value, thus we get a string like 0x00000000, but
// control sets are referenced only with the last 3 digits.
cur_controlset="ControlSet"+String(cur_controlset).substr(7,3);
println("");
println(" USB Storage Devices");
println(" ");
println(" USB storage devices
");
println(" ");
var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
for(var i=0;i",storage_roots[i],"
");
var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
for(ii=0;ii");
// Note: If the second character of the unique instance ID is a '&', then the ID was
// generated by the system, as the device did not have a serial number.
print_table_row("Unique ID:",storage_subroots[ii]);
val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class");
print_table_row("Class:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc");
print_table_row("Device description:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName");
print_table_row("Friendly name:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
}
}
println("
");
println("");