Removable devices connected to a machine

A Windows desktop has been infected by ransomware that you believe might have been transmitted through a USB drive. You want to identify the drive.

Required data

Run the following search. You can optimize it by specifying an index and adjusting the time range.
```
sourcetype=winregistry friendlyname
```
Expand the result and look at the registry_value_data field.

Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search	Explanation
`sourcetype=winregistry`	Search only Windows Registry logs.
`friendlyname`	Search for a registry entry value specific to USB devices. If `friendlyname` doesn’t yield results, try other entries, as described in Microsoft documentation.

The value in the registry_value_data field is the name of the USB device. After you have identified the device, you might want to look at the host or src_ip fields in the search result to identify the machine the device was plugged into. You might also want to identify any files that were downloaded from the removable device.

Finally, you might be interested in other processes associated with Investigating a ransomware attack.