Module setupapi 

Parser for Windows setupapi.dev.log (Vista+) and setupapi.log (XP) device-installation logs.

Forensic value: a device-install section header records the exact moment a device’s driver was installed — a first-connect timestamp that survives even after the registry Enum\ keys are wiped. This module extracts the enumerator, VID/PID, iSerial, and install time into a DeviceConnection.

Two header grammars are handled (citation: Microsoft Learn, SetupAPI Text Logs / Format of a Text Log Section Header):

• Vista+ — description first, timestamp last inside the brackets: [Device Install (Hardware initiated) - USB\VID_0781&PID_5583\<serial> 2023/04/15 14:23:11.456]
• XP — timestamp first inside the brackets: [2005/05/12 12:34:56 1234.5678] Device Install - USB\...

Lines that match neither grammar are skipped; the parser never panics.

Functions

parse_setupapi

Parse a setupapi.dev.log / setupapi.log text body into one DeviceConnection per device-install section header.