Located at HKLM\SYSTEM\ControlSet001\Enum\USBSTOR in the Windows registry, it holds comprehensive details for each device connected via USB ports. This key features individual subkeys for every device connected to the system, where you can find extensive information, including; timestamps, serial number, unique ID, container ID, friendly name, device name, make, model and type.

These details can be cross-referenced with evidence in the MountedDevices and USB registry keys.

Sections

ID	Name	Description
PR002	Device Mounting	A subject may mount an external device or network device to establish a means of exfiltrating sensitive data.
ME005	Removable Media	A subject can mount and write to removable media.
PR014.001	USB Mass Storage Device Formatting	A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system.
IF002.001	Exfiltration via USB Mass Storage Device	A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive.
PR002.001	USB Mass Storage Device Mounting	A subject may attempt to mount a USB Mass Storage device on a target system.
ME005.001	USB Mass Storage	A subject can mount and write to a USB mass storage device.
ME005.002	SD Cards	A subject can mount and write to an SD card, either directly from the system, or through a USB connector.
IF002.006	Exfiltration via USB to USB Data Transfer	A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.