Running the script

We now have a script that takes a setupapi.dev.log file, as found on Windows 7, and outputs USB entries with their associated timestamps. The following screenshot shows how we can execute the script with a sample setupapi.dev.log file, which has been provided in the code bundle. Your output may vary depending on the setupapi.dev.log file you use the script on:

Since setupapi.dev.log has numerous entries, we have pulled out two additional snippets from our command's output that focus on USB and USBSTOR devices:

Our second snippet shows some details from the USBSTOR entries:

Our current iteration seems to generate some false positives by extracting responsive lines that do not pertain solely to USB devices; let's see how we can address that.