The setupapi.dev file, located in %systemroot%\INF\setupAPI.dev, is a text file that documents the details of the first time a specific device was connected to the computer. This file ensures the system has the appropriate drivers to read and access the media. Each log entry in this file begins with a section header, where the latter part includes the device ID. This file does not provide information as to when the device was unplugged or disconnected.

Sections

ID	Name	Description
PR036	Hardware-Based Remote Access (IP-KVM)	A subject deploys a hardware-based remote access device, typically an IP-KVM (Keyboard, Video, Mouse over IP) system, to remotely interact with a workstation or server through its physical interfaces. These devices connect directly to the system’s video output (HDMI or DisplayPort) and USB ports, capturing the display signal while injecting keyboard and mouse input remotely. The device presents itself to the operating system as standard USB Human Interface Devices (HID), such as a generic keyboard and mouse, allowing the subject to interact with the system as though physically present at the console. Because the interaction occurs through physical interface emulation rather than installed software, activity generated through the device appears as local console input to the operating system. This can bypass controls designed to detect or restrict software-based remote access tools such as Remote Desktop Protocol (RDP) or third-party remote administration platforms. Many IP-KVM devices provide independent network connectivity, including Ethernet, Wi-Fi, or cellular access, allowing the subject to maintain remote interaction with the system through an external management interface. When used in this manner, the remote session may not traverse corporate remote access infrastructure or generate conventional remote access/network logs. While these devices have legitimate uses in system administration, hardware labs, and data center environments, a subject may deploy them covertly to maintain persistent remote access to a system without installing software or triggering typical remote access monitoring or network controls. Within the Insider Threat Matrix, this behavior represents preparatory activity, as it establishes a covert remote control capability that may later enable unauthorized access, data exfiltration, or system manipulation.
PR014.001	USB Mass Storage Device Formatting	A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system.
IF002.001	Exfiltration via USB Mass Storage Device	A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive.
IF002.006	Exfiltration via USB to USB Data Transfer	A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.