Setup API

The setupapi.dev.log file is a Windows log file that tracks connection information for a variety of devices, including USB devices. Since USB device information generally plays an important role in many investigations, our script will help identify the earliest installation time of a USB device on a machine. This log is system-wide, not user-specific, and therefore provides only the installation time of a USB device's first connection to the system. In addition to logging this timestamp, the log contains the vendor ID (VID), product ID (PID), and the serial number of the device. With this information, we can paint a better picture of removable storage activity. On Windows XP, this file can be found at C:\Windows\setupapi.log; on Windows 7 through 10, this file can be found at C:\Windows\inf\setupapi.dev.log.