Struct DeviceConnection 

pub struct DeviceConnection {

    pub bus: Bus,
    pub device_class_guid: Option<String>,
    pub vid: Option<u16>,
    pub pid: Option<u16>,
    pub device_serial: Option<String>,
    pub serial_is_os_generated: bool,
    pub friendly_name: Option<String>,
    pub device_instance_id: String,
    pub first_install: Option<Stamp>,
    pub last_install: Option<Stamp>,
    pub last_arrival: Option<Stamp>,
    pub last_removal: Option<Stamp>,
    pub parent_id_prefix: Option<String>,
    pub volume_guid: Option<String>,
    pub drive_letter: Option<char>,
    pub volume_serial: Option<u32>,
    pub disk_signature: Option<u32>,
    pub dma_capable: bool,
    pub mitre: Vec<MitreRef>,
    pub source: Provenance,
}

One external-device connection, normalized across sources.

The forensic cautions are baked into the type, not just the docs:

• device_serial is the USB iSerial and is a distinct field from volume_serial (a filesystem volume serial), so the two can never be conflated.
• serial_is_os_generated records that the device had no real iSerial (Windows synthesized one), weakening attribution.
• Each timestamp is a Stamp carrying its authoritative-vs-inferred Confidence.

Fields

bus: Bus

The classified bus.

device_class_guid: Option<String>

Device setup-class GUID, when known.

vid: Option<u16>

USB vendor id (VID_xxxx).

pid: Option<u16>

USB product id (PID_xxxx).

device_serial: Option<String>

The USB iSerial — the device-unique serial reported by the device. DISTINCT from any volume_serial.

serial_is_os_generated: bool

true when the instance-id serial was synthesized by Windows (the serial’s 2nd character is &) — the device exposed no real iSerial, so attribution is weaker.

friendly_name: Option<String>

Human-readable friendly name, when present.

device_instance_id: String

The full device instance id (e.g. USB\VID_0781&PID_5583\1234567890AB) — the primary key.

first_install: Option<Stamp>

First-seen / first-install — authoritative when from the setupapi section header.

last_install: Option<Stamp>

Last install/driver event.

last_arrival: Option<Stamp>

Last arrival (connect). INFERRED — derived from the undocumented registry 0066 device property (v0.2).

last_removal: Option<Stamp>

Last removal (disconnect). INFERRED — derived from the undocumented registry 0067 device property (v0.2).

parent_id_prefix: Option<String>

ParentIdPrefix — joins the storage device to its volume.

volume_guid: Option<String>

Volume GUID (\\?\Volume{...}).

drive_letter: Option<char>

Mounted drive letter.

volume_serial: Option<u32>

Filesystem volume serial (NTFS/FAT) — DISTINCT from the device’s USB device_serial.

disk_signature: Option<u32>

MBR disk signature.

dma_capable: bool

Whether the bus is bus-mastering DMA-capable (see Bus::is_dma_capable).

mitre: Vec<MitreRef>

MITRE ATT&CK techniques this connection is consistent with.

source: Provenance

Where this record came from (source file + 1-based line).

Trait Implementations

impl Clone for DeviceConnection

fn clone(&self) -> DeviceConnection

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for DeviceConnection

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Eq for DeviceConnection

impl PartialEq for DeviceConnection

fn eq(&self, other: &DeviceConnection) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl StructuralPartialEq for DeviceConnection