# Get-USBForensics.ps1
# PowerShell script to gather USB and storage forensic artifacts

Write-Host "`n=== USB Storage Devices (USBSTOR) ===" -ForegroundColor Cyan
Write-Host "Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR`n"

try {
    $usbstor = Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR" -ErrorAction SilentlyContinue
    if ($usbstor) {
        foreach ($device in $usbstor) {
            Write-Host "Device: $($device.PSChildName)" -ForegroundColor Yellow

            $instances = Get-ChildItem -Path $device.PSPath -ErrorAction SilentlyContinue
            foreach ($instance in $instances) {
                $props = Get-ItemProperty -Path $instance.PSPath -ErrorAction SilentlyContinue
                Write-Host "  Serial: $($instance.PSChildName)"
                Write-Host "  Friendly Name: $($props.FriendlyName)"
                Write-Host "  Service: $($props.Service)"
                Write-Host ""
            }
        }
    } else {
        Write-Host "No USB storage devices found." -ForegroundColor Gray
    }
} catch {
    Write-Host "Error accessing USBSTOR: $_" -ForegroundColor Red
}

Write-Host "`n=== USB Devices (USB) ===" -ForegroundColor Cyan
Write-Host "Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB`n"

try {
    $usb = Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USB" -ErrorAction SilentlyContinue
    if ($usb) {
        foreach ($device in $usb) {
            if ($device.PSChildName -match "VID_|vid_") {
                Write-Host "Device: $($device.PSChildName)" -ForegroundColor Yellow

                $instances = Get-ChildItem -Path $device.PSPath -ErrorAction SilentlyContinue
                foreach ($instance in $instances) {
                    $props = Get-ItemProperty -Path $instance.PSPath -ErrorAction SilentlyContinue
                    if ($props.DeviceDesc) {
                        Write-Host "  Instance: $($instance.PSChildName)"
                        Write-Host "  Description: $($props.DeviceDesc)"
                        Write-Host ""
                    }
                }
            }
        }
    }
} catch {
    Write-Host "Error accessing USB: $_" -ForegroundColor Red
}

Write-Host "`n=== Mounted Devices ===" -ForegroundColor Cyan
Write-Host "Location: HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices`n"

try {
    $mounted = Get-ItemProperty -Path "HKLM:\SYSTEM\MountedDevices" -ErrorAction SilentlyContinue
    if ($mounted) {
        $mounted.PSObject.Properties | Where-Object { $_.Name -notmatch "^PS" } | ForEach-Object {
            Write-Host "Drive: $($_.Name)" -ForegroundColor Yellow
            # Convert byte array to hex string for readability
            if ($_.Value -is [byte[]]) {
                $hexValue = ($_.Value | ForEach-Object { $_.ToString("X2") }) -join " "
                Write-Host "  Value: $hexValue"
            } else {
                Write-Host "  Value: $($_.Value)"
            }
            Write-Host ""
        }
    }
} catch {
    Write-Host "Error accessing MountedDevices: $_" -ForegroundColor Red
}

Write-Host "`n=== Portable Devices ===" -ForegroundColor Cyan
Write-Host "Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices\Devices`n"

try {
    $portableDevices = Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows Portable Devices\Devices" -ErrorAction SilentlyContinue
    if ($portableDevices) {
        foreach ($device in $portableDevices) {
            Write-Host "Device: $($device.PSChildName)" -ForegroundColor Yellow
            $props = Get-ItemProperty -Path $device.PSPath -ErrorAction SilentlyContinue
            Write-Host "  Friendly Name: $($props.FriendlyName)"
            Write-Host ""
        }
    } else {
        Write-Host "No portable devices found." -ForegroundColor Gray
    }
} catch {
    Write-Host "Error accessing Portable Devices: $_" -ForegroundColor Red
}

Write-Host "`n=== Setup API Device Install Log (Last 20 USB entries) ===" -ForegroundColor Cyan
Write-Host "Location: C:\Windows\inf\setupapi.dev.log`n"

try {
    $setupLog = "C:\Windows\inf\setupapi.dev.log"
    if (Test-Path $setupLog) {
        $usbEntries = Select-String -Path $setupLog -Pattern "USB" -Context 0,2 -ErrorAction SilentlyContinue | Select-Object -Last 20
        foreach ($entry in $usbEntries) {
            Write-Host $entry.Line -ForegroundColor Gray
        }
    } else {
        Write-Host "Setup log not found." -ForegroundColor Gray
    }
} catch {
    Write-Host "Error accessing setup log: $_" -ForegroundColor Red
}

Write-Host "`n=== Current USB Devices (via WMI) ===" -ForegroundColor Cyan

try {
    $wmiUSB = Get-WmiObject Win32_USBControllerDevice -ErrorAction SilentlyContinue | ForEach-Object {
        [wmi]($_.Dependent)
    } | Select-Object Description, DeviceID, Manufacturer | Where-Object { $_.Description -ne $null }

    if ($wmiUSB) {
        $wmiUSB | ForEach-Object {
            Write-Host "Description: $($_.Description)" -ForegroundColor Yellow
            Write-Host "  Device ID: $($_.DeviceID)"
            Write-Host "  Manufacturer: $($_.Manufacturer)"
            Write-Host ""
        }
    } else {
        Write-Host "No USB devices currently connected." -ForegroundColor Gray
    }
} catch {
    Write-Host "Error accessing WMI: $_" -ForegroundColor Red
}

Write-Host "`n=== Script Complete ===" -ForegroundColor Green
Write-Host "Note: Run as Administrator for complete results.`n"