If you ask DFIR analysts, "What is best in life?", the answer you should hear is, "...creating timelines!" After all, industry luminaries such as Andrew said, "Time is the most important thing in life, and timelines are one of the most useful tools for investigation and analysis.", and Chris said, "The timeline is the central concept of all investigative work."
My previous blog post addressed USB-connected devices, but only from the perspective of Windows Event Logs. In this blog post, I wanted to include data from the Registry, incorporated in a timeline so that the various data sources could be viewed through a common lens, in a single pane of glass. 
I stated by using wevtutil.exe to export current copies of the five Windows Event Logs to a central location. I then used reg.exe to do the same thing for the System hive. I then used my timeline process (outlined in several of my books) to create the events file from the six data sources; I used wevtx.bat to parse the Windows Event Logs, and three newly created RegRipper Pro plugins to parse the relevant data from the System hive. The specific keys, values and data parsed from the hive were based largely on Yogesh's blog post, and this academic paper posted at the ResearchGate site. I created the initial plugins, and then modified them to display TLN-format output, for inclusion in timelines.
For this research, there where three specific devices I was interested in...my iPod, my iPhone, and a SanDisk Cruzer USB thumb drive. After creating the overall events file, I used the "type" and "find" commands to look for events associated specifically with those devices, isolated each into their own individual "overlay" events file, and then created timelines from each of those events files. This approach makes it easy to "see" what's going on and create artifact constellations, as I don't have to filter out "noise" associated with other events, and I still have the overall events file that I refer to. 
What I'm sharing below are partial timelines of events, just enough to demonstrate events based on intentionally limited data sources, so that initial artifact constellations can be developed. From this point, the constellations can be built out; for example, accessing files the SanDisk Cruzer will produce Windows shortcut files pointing to files on the "E:\" volume. Again, these timeline overlays are not complete, but are intended to demonstrate Registry artifacts associated with USB-connected devices alongside Windows Event Log artifacts.
iPodA while back, I inserted my iPod into my computer in order to retrieve music files, via iTunes, so that I could transfer them to my iPhone. I didn't think much about it at the time, but the connection was clearly "remembered" by Windows 10, specifically via the Registry.
Here are the events around the insertion:
Sun Jan  2 19:41:21 2022 Z  REG                        - First Inserted - Apple iPod [6&3091e96e&0&0000]  REG                        - First Install - Apple iPod [6&3091e96e&0&0000]  EVTX     Stewie     - Microsoft-Windows-WPD-MTPClassDriver/1005;Apple Inc.,Apple iPod,4.3.5,40  REG                        - Last Inserted - Apple iPod [6&3091e96e&0&0000]
Sun Jan  2 19:41:15 2022 Z  EVTX     Stewie            - Microsoft-Windows-DeviceSetupManager/112;iPod,{fc916355-34ea-555c-9e24-3c59f6125097},2,42,11
And here are the events around the removal of the device from the computer, a little more than 14 minutes later:
Sun Jan  2 19:55:46 2022 Z  REG                        - Last Removal - Apple iPod [6&3091e96e&0&0000]
The completed message string for the "Microsoft-Windows-DeviceSetupManager/112" event above is:
Device 'Apple iPod' ({fc916355-34ea-555c-9e24-3c59f6125097}) has been serviced, processed 6 tasks, wrote 34 properties, active worktime was 11748 milliseconds.
I state this specifically because following the "Last Removal" event on 2 Jan 2022, the timeline contains an additional 9 events from 6 Jan to 22 May, all for the same "Microsoft-Windows-DeviceSetupManager/112" event records for the iPod, but the last three string entries are different. In every case, only 1 task is run, and the active worktime runs from 0 to 31 milliseconds. I know that the iPod was not plugged in during these times, and as such, this seems to be an artifact the installation process.
iPhoneI have connected my iPhone to this Windows 10 system via a USB cable, to transfer pictures from it, and to transfer music files to it, via iTunes. Here was see one such connection on 7 May 2022:
Sat May  7 14:16:35 2022 Z  REG                        - Last Removal - @oem119.inf,iphone.appleusb.devicedesc%;Apple Mobile Device USB Composite Device [00008030000E6C6C11DA802E]  REG                        - Last Removal - Apple iPhone [6&139bb8e1&1&0000]
Sat May  7 14:14:57 2022 Z  EVTX     Stewie            - Microsoft-Windows-WPD-MTPClassDriver/1005;Apple Inc.,Apple iPhone,15.4.1,40  EVTX     Stewie            - Microsoft-Windows-DeviceSetupManager/112;Apple iPhone,{7e8068a1-2d62-53fb-8285-a12072dfa871},4,34,296
Sat May  7 14:14:56 2022 Z  REG                        - Last Inserted - Apple iPhone [6&139bb8e1&1&0000]  REG                        - Last Inserted - @oem119.inf,iphone.appleusb.devicedesc%;Apple Mobile Device USB Composite Device [00008030000E6C6C11DA802E]
There's information later in the timeline regarding another connection to the system, this time to copy pictures off of the iPhone. The "Last Inserted" and "Last Removal" events are from a different Registry key as seen above, as noted by the serial number in brackets at the end of the "event".
Fri Apr 15 16:23:13 2022 Z  REG                        - Last Removal - @oem119.inf,iphone.appleusbmux.devicedesc%;Apple Mobile Device USB Device [6&139bb8e1&1&0001]
...

Fri Apr 15 16:19:02 2022 Z  EVTX     Stewie            - Microsoft-Windows-WPD-MTPClassDriver/1005;Apple Inc.,Apple iPhone,15.4.1,40
Fri Apr 15 16:18:57 2022 Z  EVTX     Stewie            - Microsoft-Windows-DeviceSetupManager/112;Apple iPhone,{7e8068a1-2d62-53fb-8285-a12072dfa871},4,34,140  REG                        - Last Inserted - @oem119.inf,iphone.appleusbmux.devicedesc%;Apple Mobile Device USB Device [6&139bb8e1&1&0001]
CruzerThe artifact constellation for the SanDisk Cruzer thumb drive is a bit different from that of the iPhone and the iPod. In this case, the events around the last time the device was inserted and then removed from the computer is less than a minute...
Mon May 16 22:07:08 2022 Z  EVTX     Stewie            - Microsoft-Windows-Partition/1006;1,8208,262401,false,0,0,0,0,0,7,SanDisk,Cruzer,8.02,2443931D6C0226E3,...  REG                        - Last Removal - SanDisk Cruzer USB Device  REG                        - Last Removal - Cruzer   [E:\]
Mon May 16 22:06:26 2022 Z  EVTX     Stewie            - Microsoft-Windows-Ntfs/145;3,{1e09345e-d3d4-11e8-92fd-1c4d704c6039},2,E:,false,0,{fab772f6-83e6-5d5f-1086-740d39e45bff},8,SanDisk ,16,Cruzer ...  EVTX     Stewie            - Microsoft-Windows-Partition/1006;1,8208,262401,false,0,0,0,512,8036285952,7,SanDisk,Cruzer,8.02,2443931D6C0226E3,Integrated : ...
Mon May 16 22:06:24 2022 Z  EVTX     Stewie            - Microsoft-Windows-Partition/1006;1,8208,262401,false,0,0,0,0,0,7,SanDisk,Cruzer,8.02,2443931D6C0226E3,...  EVTX     Stewie            - Microsoft-Windows-DeviceSetupManager/112;Cruzer,{81fa6fcf-bfc9-5887-bdbc-2cffb6be0b29},4,34,281  REG                        - Last Inserted - Cruzer    [E:\]  REG                        - Last Inserted - SanDisk Cruzer USB Device
Note that several of the events, particularly those from the Partition/Diagnostic Event Log, are shortened here for readability.
Registry Each of the above three devices appears in the Registry, specifically in the System hive, sometimes in multiple locations. For example, the SanDisk Cruzer thumb drive appears in both the USBStor and WPDBUSENUM subkeys.

From the USBStor key:Disk&Ven_SanDisk&Prod_Cruzer&Rev_8.02  2443931D6C0226E3&0    DeviceDesc     : @disk.inf,%disk_devdesc%;Disk drive    Mfg            : @disk.inf,%genmanufacturer%;(Standard disk drives)    Service        : disk                              FriendlyName   : SanDisk Cruzer USB Device         First Install  : 2021-09-09 17:37:15Z         First Inserted : 2021-09-09 17:37:15Z         Last Inserted  : 2022-05-16 22:06:24Z         Last Removal   : 2022-05-16 22:07:08Z     
From the WPDBUSENUM key:_??_USBSTOR#Disk&Ven_SanDisk&Prod_Cruzer&Rev_8.02#2443931D6C0226E3&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}    DeviceDesc     : Cruzer                            FriendlyName   : E:\                               First Install  : 2021-09-09 17:37:17Z         First Inserted : 2021-09-09 17:37:17Z         Last Inserted  : 2022-05-16 22:06:24Z         Last Removal   : 2022-05-16 22:07:08Z
The Apple devices appear beneath the USB key, based on the vendor ID:VID_05AC&PID_129E  b9e69c2c948d76fd3f959be89193f30a500a0d50    DeviceDesc     : @oem119.inf,%iphone.appleusb.devicedesc%;Apple Mobile Device USB Composite Device    Mfg            : @oem119.inf,%aapl%;Apple, Inc.    Service        : usbccgp                           FriendlyName   : @oem119.inf,%iPhone.AppleUSB.DeviceDesc%;Apple Mobile Device USB Composite Device    First Install  : 2022-01-02 19:41:16Z         First Inserted : 2022-01-02 19:41:15Z         Last Inserted  : 2022-01-02 19:41:15Z         Last Removal   : 2022-01-02 19:55:46Z     
VID_05AC&PID_129E&MI_00  6&3091e96e&0&0000    DeviceDesc     : Apple iPod                        Mfg            : Apple Inc.                        Service        : WUDFWpdMtp                        FriendlyName   : Apple iPod                        First Install  : 2022-01-02 19:41:21Z         First Inserted : 2022-01-02 19:41:21Z         Last Inserted  : 2022-01-02 19:41:21Z         Last Removal   : 2022-01-02 19:55:46Z     
VID_05AC&PID_129E&MI_01  6&3091e96e&0&0001    DeviceDesc     : @oem119.inf,%iphone.appleusbmux.devicedesc%;Apple Mobile Device USB Device    Mfg            : @oem119.inf,%aapl%;Apple, Inc.    Service        : WINUSB                            FriendlyName   : @oem119.inf,%iPhone.AppleUsbMux.DeviceDesc%;Apple Mobile Device USB Device    First Install  : 2022-01-02 19:41:16Z         First Inserted : 2022-01-02 19:41:16Z         Last Inserted  : 2022-01-02 19:41:16Z         Last Removal   : 2022-01-02 19:55:46Z     
VID_05AC&PID_12A8  00008030000E6C6C11DA802E    DeviceDesc     : @oem119.inf,%iphone.appleusb.devicedesc%;Apple Mobile Device USB Composite Device    Mfg            : @oem119.inf,%aapl%;Apple, Inc.    Service        : usbccgp                           FriendlyName   : @oem119.inf,%iPhone.AppleUSB.DeviceDesc%;Apple Mobile Device USB Composite Device    First Install  : 2022-01-02 19:56:40Z         First Inserted : 2022-01-02 19:56:40Z         Last Inserted  : 2022-05-07 14:14:56Z         Last Removal   : 2022-05-07 14:16:35Z     
VID_05AC&PID_12A8&MI_00  6&139bb8e1&1&0000    DeviceDesc     : Apple iPhone                      Mfg            : Apple Inc.                        Service        : WUDFWpdMtp                        FriendlyName   : Apple iPhone                      First Install  : 2022-01-02 19:56:46Z         First Inserted : 2022-01-02 19:56:46Z         Last Inserted  : 2022-05-07 14:14:56Z         Last Removal   : 2022-05-07 14:16:35Z     
Additional ResourcesNote that per Yogesh's blog post, the "Microsoft-Windows-Kernel-PnP/Device Configuration" Event Log may also contain information about the connected devices.
One More ThingWhile I was doing some research for this blog post, I ran across this entry for event ID 112, albeit from the Microsoft-Window-TaskScheduler/Operational" Event Log. Once again, please stop referring to event records solely by their ID, and start including the event source, as well.