ExamGuard is a portable forensic tool designed to collect USB device history and activity evidence from Windows lab computers for academic integrity investigations.
- USB Device History - Extract complete USB storage device history from Windows Registry
- Vendor Identification - Automatically resolve vendor names using VID/PID lookup
- Event Log Analysis - Collect USB-related events from Windows Event Logs
- System Information - Capture user login history, computer details, and timestamps
- Multiple Report Formats - Generate CSV, TXT, and HTML reports
- Portable Execution - Single EXE, no installation required
- Timestamped Evidence - All reports saved with datetime stamps for chain of custody
| Component | Requirement |
|---|---|
| OS | Windows 10/11 |
| Privileges | Administrator |
| Runtime | Standalone EXE (no dependencies) |
- Download
ExamGuard.exeto your USB drive - Right-click → Run as Administrator
- Wait for collection to complete (typically 5-10 seconds)
- Reports are saved in timestamped folder on USB drive
ExamGuard requires admin rights to access:
- Windows Registry (USB device history)
- Windows Event Logs (USB insertion events)
- Security Event Logs (user login information)
ExamGuard generates 4 comprehensive reports:
Complete USB device database with:
- Device name, manufacturer, product
- VID (Vendor ID) & PID (Product ID)
- Serial numbers
- First & last insertion timestamps
- Container IDs
USB-related Windows events:
- Event ID, source, timestamp
- Device insertion/removal events
- Driver installation logs
- Kernel-PnP configuration events
System details:
- Computer name & domain
- Current username
- Last user login time
- Last system boot time
- Administrator status
Professional HTML report combining all data with:
- System information header
- USB device table with vendor lookup
- Event log timeline
- Responsive design for easy viewing
pip install -r requirements.txtpython build.pyOutput: dist/ExamGuard.exe (≈9 MB)
ExamGuard_USB/
├── dist/
│ └── ExamGuard.exe # Standalone executable
├── main.py # Entry point
├── usb_collector.py # USB registry collector
├── event_log_reader.py # Event log parser
├── system_info.py # System information gatherer
├── report_generator.py # Multi-format report generator
├── build.py # PyInstaller build script
├── icon.ico # Application icon
├── requirements.txt # Python dependencies
└── README.md # Documentation
| Source | Purpose | Registry/Log Path |
|---|---|---|
| USBSTOR Registry | Device metadata | HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR |
| USB Registry | VID/PID/Manufacturer | HKLM\SYSTEM\CurrentControlSet\Enum\USB |
| Kernel-PnP Logs | Device events | Microsoft-Windows-Kernel-PnP/Configuration |
| Security Logs | Login history | Security Event ID 4624 |
| System Logs | Boot time | System Event ID 6005 |
Built-in database of 25+ common USB vendors:
- SanDisk, Kingston, Transcend, Samsung
- Western Digital, Seagate, Toshiba
- Generic devices (VID 0000)
- Academic Integrity - Detect unauthorized USB usage during exams
- Forensic Investigations - Document USB device history
- Security Audits - Track data transfer devices
- IT Compliance - Verify USB policy adherence
This tool is designed for authorized forensic investigations only. Users must:
- Have proper authorization to examine target systems
- Comply with local laws and regulations
- Maintain proper chain of custody for evidence
- Respect user privacy and data protection laws
Krutarth Raychura
This project is licensed under the MIT License - see the LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
Made with ❤️ for Digital Forensics & Academic Integrity
⭐ Star this repo if you find it useful!