analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Stars6.2k

Favorites0

Comments0

AddedMay 11, 2026

CategoryDigital Forensics

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill analyzing-usb-device-connection-history

Curation Score

This skill scores 84/100, which means it is a solid directory listing for users doing Windows USB forensics. The repository gives enough real workflow detail and code-backed references that an agent can trigger it with less guesswork than a generic prompt, though users should still expect a few adoption gaps around packaging and end-to-end execution.

84/100

Strengths

Clear forensic use cases and trigger conditions for USB exfiltration, insider threat, and compliance investigations.
Substantial operational content: a long SKILL.md workflow plus registry/event-log/setupapi references and an accompanying Python agent script.
Good agent leverage from concrete artifact paths and parsing examples for SYSTEM, SOFTWARE, NTUSER.DAT, and Windows event logs.

Cautions

No install command in SKILL.md, so users may need to figure out setup and dependencies themselves.
Evidence is strong on parsing and artifact collection, but the excerpt shows some truncation and limited visible guidance on validation, edge cases, or reporting outputs.

Forensics Windows Registry Analysis Event Logs Setupapi Insider Threat Data Exfiltration Usb

Overview

Overview of analyzing-usb-device-connection-history skill

The analyzing-usb-device-connection-history skill helps you investigate USB device connection history on Windows systems using registry hives, event logs, and setupapi.dev.log. It is best for Digital Forensics, insider threat work, and incident response when you need to answer a simple but critical question: what removable media was connected, when, and on which machine or user context.

What this skill is for

This analyzing-usb-device-connection-history skill is built to reconstruct device timelines from artifacts such as SYSTEM, SOFTWARE, NTUSER.DAT, and Windows event logs. It is most useful when you need evidentiary detail, not just a generic “USB was used” statement.

Best-fit use cases

Use it when you are tracing possible data exfiltration, checking removable-media policy violations, correlating device insertion with user activity, or building a case timeline. If your goal is file recovery, malware removal, or general Windows triage, this skill is probably the wrong tool.

What makes it different

Compared with a normal prompt, this skill gives you a focused forensic workflow and artifact map: where to look, which registry paths matter, and how to correlate source files into a timeline. That reduces guesswork and helps you avoid missing the common USB evidence sources that matter in real cases.

How to Use analyzing-usb-device-connection-history skill

Install the skill first

Use the repository install flow for the analyzing-usb-device-connection-history install step, for example:
npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill analyzing-usb-device-connection-history

After install, confirm the skill files are present and readable in your environment before relying on it in a case workflow.

Read these files in order

Start with SKILL.md, then check references/api-reference.md, and finally scripts/agent.py. That sequence tells you the intended workflow, the artifact targets, and the implementation assumptions. If you only skim one file, you will miss important context like active control set resolution and how device instances are parsed.

Give the skill usable evidence

For strong analyzing-usb-device-connection-history usage, provide:

the Windows version or expected host role
the artifact set you have: registry hives, EVTX files, or setupapi.dev.log
the investigation goal: exfiltration, policy compliance, or a device timeline
any known device clues: vendor, product, serial, drive letter, or date range

A weak prompt like “analyze USB history” is too vague. A stronger prompt is: “Analyze SYSTEM, NTUSER.DAT, and System.evtx from workstation WS-14 to identify all USB storage connections from 2024-05-01 to 2024-05-14 and correlate them to drive-letter mappings.”

Follow the workflow that the artifacts support

The skill works best when you treat it as a correlation task: identify the active ControlSet, pull USB identifiers from Enum\\USBSTOR and MountedDevices, then corroborate with event logs and setupapi.dev.log. That order matters because registry data often gives you the device inventory, while logs help narrow timing and usage context.

analyzing-usb-device-connection-history skill FAQ

Is this only for Digital Forensics?

No, but analyzing-usb-device-connection-history for Digital Forensics is the clearest fit. It also works for incident response, insider threat reviews, and compliance audits where removable-media history is relevant.

Do I need the skill if I can write my own prompt?

If you already know the Windows artifact paths and parsing sequence, a custom prompt may be enough. The skill is more useful when you want a repeatable analyzing-usb-device-connection-history guide that reduces missed artifacts and keeps the workflow anchored to forensic evidence.

What are the main boundaries?

This skill is not a substitute for full endpoint triage, and it will not magically recover missing logs. If registry hives are absent, logs were cleared, or the disk image is incomplete, the output will be limited by those gaps.

Is it beginner-friendly?

Yes, if you can supply the source artifacts. The skill is beginner-friendly for Windows artifact analysis, but it still assumes you understand that USB history can come from multiple places and may need correlation rather than a single-file lookup.

How to Improve analyzing-usb-device-connection-history skill

Provide cleaner inputs

The biggest quality jump comes from better source material. Give the model exact artifact names, acquisition timestamps, and case scope instead of “all USB stuff.” If you have multiple machines, separate them by host and time window so the analysis does not blend timelines.

Ask for correlation, not just extraction

The skill is strongest when you request a forensic conclusion, not a raw artifact dump. For example: “Identify each USB storage device, map it to user activity if possible, and note first-seen, last-seen, and any drive-letter assignments.” That produces a more useful analyzing-usb-device-connection-history usage result than asking for a list of keys.

Watch for common failure modes

Common weak outputs come from missing the active ControlSet, confusing per-user history with system-wide history, or treating one artifact as definitive on its own. Improve the result by asking for confidence levels, source-by-source notes, and explicit caveats when the evidence is partial.

Iterate after the first pass

If the first result is broad, refine it with targeted follow-up prompts: ask for a device-by-device timeline, a user-focused view, or a correlation against a specific exfiltration window. That is the best way to improve the analyzing-usb-device-connection-history skill output without restarting the whole case.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

extracting-browser-history-artifacts

by mukul975

extracting-browser-history-artifacts is a Digital Forensics skill for extracting browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge. Use it to turn browser profile files into timeline-ready evidence with repeatable, case-focused workflow guidance.

Digital Forensics

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

deobfuscating-javascript-malware

by mukul975

deobfuscating-javascript-malware helps analysts turn heavily obfuscated malicious JavaScript into readable code for malware analysis, phishing pages, web skimmers, droppers, and browser-delivered payloads. Use this deobfuscating-javascript-malware skill for structured deobfuscation, decode tracing, and controlled review when simple minification is not the issue.

Malware Analysis

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-macro-malware-in-office-documents

by mukul975

analyzing-macro-malware-in-office-documents helps malware analysts inspect malicious VBA in Word, Excel, and PowerPoint files, decode obfuscation, and extract IOCs, execution paths, and payload staging logic for phishing triage, incident response, and document malware analysis.

Malware Analysis

Favorites 0GitHub 0

collecting-indicators-of-compromise

by mukul975

collecting-indicators-of-compromise skill for extracting, enriching, scoring, and exporting IOCs from incident evidence. Use it for Security Audit workflows, threat intel sharing, and STIX 2.1 output when you need a practical collecting-indicators-of-compromise guide instead of a generic incident-response prompt.

Security Audit

Favorites 0GitHub 0

analyzing-golang-malware-with-ghidra

by mukul975

analyzing-golang-malware-with-ghidra helps analysts reverse engineer Go-compiled malware in Ghidra with workflows for function recovery, string extraction, build metadata, and dependency mapping. The analyzing-golang-malware-with-ghidra skill is useful for malware triage, incident response, and Security Audit tasks that need practical, Go-specific analysis steps.

Security Audit

Favorites 0GitHub 0

building-incident-timeline-with-timesketch

by mukul975

building-incident-timeline-with-timesketch helps DFIR teams build collaborative incident timelines in Timesketch by ingesting Plaso, CSV, or JSONL evidence, normalizing timestamps, correlating events, and documenting attack chains for incident triage and reporting.

Incident Triage

Favorites 0GitHub 6.1k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

detecting-rootkit-activity

by mukul975

detecting-rootkit-activity is a Malware Analysis skill for finding rootkit indicators such as hidden processes, hooked system calls, altered kernel structures, hidden modules, and covert network artifacts. It uses cross-view comparison and integrity checks to help validate suspicious hosts when standard tools disagree.

Malware Analysis

Favorites 0GitHub 6.2k

analyzing-browser-forensics-with-hindsight

by mukul975

analyzing-browser-forensics-with-hindsight helps Digital Forensics teams analyze Chromium browser artifacts with Hindsight, including history, downloads, cookies, autofill, bookmarks, saved credentials metadata, cache, and extensions. Use it to reconstruct web activity, review timelines, and investigate Chrome, Edge, Brave, and Opera profiles.

Digital Forensics

Favorites 0GitHub 6.2k

hunting-advanced-persistent-threats

by mukul975

hunting-advanced-persistent-threats is a threat-hunting skill for detecting APT-style activity across endpoint, network, and memory telemetry. It helps analysts build hypothesis-driven hunts, map findings to MITRE ATT&CK, and turn threat intel into practical queries and investigation steps instead of ad hoc searches.

Threat Hunting

Favorites 0GitHub 0

extracting-windows-event-logs-artifacts

by mukul975

extracting-windows-event-logs-artifacts helps you extract, parse, and analyze Windows Event Logs (EVTX) for digital forensics, incident response, and threat hunting. It supports structured review of logons, process creation, service installs, scheduled tasks, privilege changes, and log clearing with Chainsaw, Hayabusa, and EvtxECmd.

Digital Forensics

Favorites 0GitHub 0