Interpret USB Date/Time Field from RR

I have a several USB devices from the “recent activity” ingest module and the fields all show a date of 2/16 or 2/20. Looking at the file meta data and the output of RR I have one date for created and either of the above dates for modified, accessed, or MFT modified for everything including a wheel mouse and keyboard…

How should that be interpreted - I don’t think they were all (94) were connected on one day…

Thanks for any help.

More then likely the date/time(s) have been updated because of a MS update. I do not have a source for this at my fingerprints but it is something to start to research, was there a Windows update applied around that time.

Hi Bob,

I have not faced this situation but, had some thing related to USB devices.
I have posted at List of USB Devices used
Your case may be helpful in verify my observation,
Can you please parse the event logs and search the USB devices serial number you have , then you may be able to discover how many times times a USB device plugged in to the PC,

I discovered it once and posted in forum but did not got any comment,
Your situation may validate my observations.

Regards

I have looked through the EVTX files and unfortunately there is not a reference to the USB device in the log; the EVTX file for ‘partitions’ was not there. I just the logging for that event was not turned on.

This was a Win 7 device if that makes a difference for the logging.

Thanks for the help,

Bob

Hi
I was having windows 10, it was a corporate investigation.
below is the parsed result from one of the event file

It might be possible that is event was logged because of some corporate policy.

Thanks for your comment

Regards