±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36231
New Yesterday: 0 Visitors: 582

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

USBSTOR Registry Entries Windows 7+

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts


USBSTOR Registry Entries Windows 7+

Post Posted: Apr 25, 17 14:47

I'm trying to track down whether a specific USB hard drive was attached to any of 3 computers that I have EO1 evidence files of.

(Edit: I no longer have access to the original USB device just the EO1 image of it)

I've identified the Volume Serial Number of the USB hard drive and checked the SYSTEM hive of each looking for the USBSTOR keys, while each lists several devices per computer they do not appear in the format that I was expecting (the 8 digit VSN followed by &0 or &1) but instead are considerably longer.

Some of the keys start 9& which as I understand means that they did not have a readable VSN so the computer generated an ID for them but the others look like hex strings and end in either $0 or $1 they're just too long.

The three computers are running Windows 7, Windows 8.1 and Windows 10 respectively.

Has windows changed the way it records the VSN in the USBSTOR key in these versions of Windows and if so can the USB device still be identified from these entries?


Senior Member

Re: USBSTOR Registry Entries Windows 7+

Post Posted: Apr 25, 17 20:43

Have you check the log C:\Windows\inf\setupapi.dev.log  


Re: USBSTOR Registry Entries Windows 7+

Post Posted: Apr 27, 17 12:58

- Deltron
Have you check the log C:\Windows\inf\setupapi.dev.log

I hadn't, I've subsequently checked the EMDMgmt key in the registry and run GREP searches for the VSN in hex, both of those came up blank.

I'm looking at the setupapi.dev.log file now but I'm not sure what I'm looking for in there, the manufacturer name (verbatim) doesn't appear in the log but looking at other USB devices installed if one of those entires is a serial number of any kind it's not one that I recognise as a serial number  


Re: USBSTOR Registry Entries Windows 7+

Post Posted: May 10, 17 13:30


Hope this info helps:

To find out USB Serial Number:




To find out Volume Name:

SOFTWARE\Microsoft\Windows\ Portable Devices \Devices

To find out USB Vendor and Product ID:


Volume GUID and Assigned Volume Drive Letter:


Time USB First Attached:




Time USB Last Attached after reboot:


User Account that mounted volume and Time USB Last Attached:


Page 1 of 1