Expand description
peripheral-core — external-device (peripheral) connection forensic reader.
Parses Windows setupapi.dev.log device-installation logs into a uniform
DeviceConnection stream: bus-classified, with each timestamp tagged
authoritative-vs-inferred and the USB iSerial kept distinct from any volume
serial. The input is attacker-controllable evidence — parsing is lenient
(lossy UTF-8), bounds-checked, and never panics. No unsafe.
Findings (DMA-capable device, mass-storage, HID/BadUSB, OS-generated serial)
live in the sibling peripheral-forensic crate; this crate only decodes.
§v0.2 enrichment (not in this release)
The richest source — the Windows registry SYSTEM\CurrentControlSet\Enum\
keys (USBSTOR/USB), MountedDevices, and the device-property 0066/0067
Last-Arrival/Last-Removal FILETIMEs — plus EVTX device events require the
(unpublished) winreg-core and winevt-forensic crates. They are deferred
to v0.2; v0.1 is scoped to the self-contained setupapi.dev.log source.
Modules§
- setupapi
- Parser for Windows
setupapi.dev.log(Vista+) andsetupapi.log(XP) device-installation logs.
Structs§
- Device
Connection - One external-device connection, normalized across sources.
- Mitre
Ref - A MITRE ATT&CK technique a connection is consistent with — never a verdict.
- Provenance
- Where a
DeviceConnectionwas decoded from. - Stamp
- A timestamp tagged with its evidentiary confidence.
Enums§
- Bus
- The physical/logical bus a peripheral attached through.
- Confidence
- How much trust a timestamp carries.