I'm trying to track down whether a specific USB hard drive was attached to any of 3 computers that I have EO1 evidence files of.
(Edit I no longer have access to the original USB device just the EO1 image of it)
I've identified the Volume Serial Number of the USB hard drive and checked the SYSTEM hive of each looking for the USBSTOR keys, while each lists several devices per computer they do not appear in the format that I was expecting (the 8 digit VSN followed by &0 or &1) but instead are considerably longer.
Some of the keys start 9& which as I understand means that they did not have a readable VSN so the computer generated an ID for them but the others look like hex strings and end in either $0 or $1 they're just too long.
The three computers are running Windows 7, Windows 8.1 and Windows 10 respectively.
Has windows changed the way it records the VSN in the USBSTOR key in these versions of Windows and if so can the USB device still be identified from these entries?
Cheers
Have you check the log C\Windows\inf\setupapi.dev.log
Have you check the log C\Windows\inf\setupapi.dev.log
I hadn't, I've subsequently checked the EMDMgmt key in the registry and run GREP searches for the VSN in hex, both of those came up blank.
I'm looking at the setupapi.dev.log file now but I'm not sure what I'm looking for in there, the manufacturer name (verbatim) doesn't appear in the log but looking at other USB devices installed if one of those entires is a serial number of any kind it's not one that I recognise as a serial number
Hello,
Hope this info helps
To find out USB Serial Number
SYSTEM\CurrentControlSet\Enum\USBSTOR
&
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt
To find out Volume Name
SOFTWARE\Microsoft\Windows\ Portable Devices \Devices
To find out USB Vendor and Product ID
SYSTEM\CurrentControlSet\Enum\USB
Volume GUID and Assigned Volume Drive Letter
SYSTEM\MountedDevices
Time USB First Attached
SYSTEM\CurrentControlSet\Enum\USBSTOR
&
ROOT\Windows\inf\setupapi.dev.log
Time USB Last Attached after reboot
SYSTEM\CurrentControlSet\Enum\USB
User Account that mounted volume and Time USB Last Attached
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2