creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-usb-device-connection-history/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.1 KiB
Raw Blame History

API Reference: Analyzing USB Device Connection History

regipy (Python Registry Parser)

Open and Parse Registry Hive

from regipy.registry import RegistryHive

reg = RegistryHive("/path/to/SYSTEM")
key = reg.get_key("ControlSet001\\Enum\\USBSTOR")
for subkey in key.iter_subkeys():
    print(subkey.name, subkey.header.last_modified)
    for val in subkey.iter_values():
        print(f"  {val.name} = {val.value}")

Key Registry Paths for USB Forensics

Path Hive Description
ControlSet00X\Enum\USBSTOR SYSTEM USB mass storage device identifiers
MountedDevices SYSTEM Drive letter to device mapping
ControlSet00X\Enum\USB SYSTEM All USB devices (not just storage)
Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 NTUSER.DAT Per-user volume access history

Determine Active ControlSet

select_key = reg.get_key("Select")
current = select_key.get_value("Current")
controlset = f"ControlSet{current:03d}"

python-evtx (Event Log Parsing)

from evtx import PyEvtxParser
import json

parser = PyEvtxParser("/path/to/System.evtx")
for record in parser.records_json():
    data = json.loads(record["data"])
    event_id = data["Event"]["System"]["EventID"]
    if event_id in (20001, 20003):  # USB plug events
        print(record["timestamp"], event_id)

SetupAPI Log Parsing

import re
with open("setupapi.dev.log", "r", errors="ignore") as f:
    content = f.read()
pattern = r"Section start (\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2})"
for match in re.finditer(pattern, content):
    print("First install:", match.group(1))

USB Forensic Registry Keys

Key Data
USBSTOR\Disk&Ven_X&Prod_Y&Rev_Z\Serial Device class and serial
FriendlyName value Human-readable device name
DeviceContainers (SOFTWARE) Device metadata with timestamps
EMDMgmt (SOFTWARE) ReadyBoost device serial/volume info

References

Reference in New Issue View Git Blame Copy Permalink