MountPoints2 is a Windows Registry key used to store information about previously connected removable devices, such as USB drives, CDs, and other external storage media. It is located at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Each subkey under MountPoints2 represents a unique device, often identified by its GUID (Globally Unique Identifier) or other unique identifier.
These subkeys can contain various values that describe the properties and behavior of the corresponding device, such as the assigned drive letter, volume label, and other relevant data.

Sections

ID	Name	Description
IF002	Exfiltration via Physical Medium	A subject may exfiltrate data via a physical medium, such as a removable drive.
IF002.001	Exfiltration via USB Mass Storage Device	A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive.
PR002.001	USB Mass Storage Device Mounting	A subject may attempt to mount a USB Mass Storage device on a target system.
ME005.001	USB Mass Storage	A subject can mount and write to a USB mass storage device.
IF002.006	Exfiltration via USB to USB Data Transfer	A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.
AF022.003	Portable Hypervisors	The subject uses a portable hypervisor to launch a virtual machine from removable media or user-space directories, enabling covert execution of tools, data staging, or operational activities. These hypervisors can run without installation, system-wide configuration changes, or elevated privileges, bypassing standard application control, endpoint detection, and logging. Portable hypervisors are often used to: Run a fully isolated virtual environment on a corporate system without administrator rights. Avoid persistent installation footprints in the Windows registry, program files, or audit logs. Stage and execute sensitive operations inside a contained guest OS, shielded from host-level EDR tools. Exfiltrate or decrypt data using tools embedded in the VM image without writing them to disk. Destroy or remove evidence simply by ejecting the device or deleting the VM directory. Example Scenarios: The subject carries a USB stick containing QEMU or VMware Workstation Player Portable, along with a pre-configured Linux VM that includes recon and exfiltration tools. They plug it into a shared workstation, launch the VM in user space, and remove the stick after completing the session. A portable VirtualBox distribution is run from an unmonitored folder in the user's home directory. Inside the VM, the subject transfers staged data, compresses it, and initiates covert upload via proxy-aware tools, leaving no trace on the host system. The subject uses an encrypted external SSD with VMware ThinApp to run virtualized applications (e.g., password extractors, tunneling tools) without installation or triggering AV signatures on the host.

References

https://www.binary-zone.com/2020/04/04/investigating-usb-drives-using-mount-points-not-drive-letters/