±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35503
New Yesterday: 0 Visitors: 165

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

USBSTOR Registry Entries Windows 7+

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Banjax
Newbie
 

USBSTOR Registry Entries Windows 7+

Post Posted: Apr 25, 17 14:47

I'm trying to track down whether a specific USB hard drive was attached to any of 3 computers that I have EO1 evidence files of.

(Edit: I no longer have access to the original USB device just the EO1 image of it)

I've identified the Volume Serial Number of the USB hard drive and checked the SYSTEM hive of each looking for the USBSTOR keys, while each lists several devices per computer they do not appear in the format that I was expecting (the 8 digit VSN followed by &0 or &1) but instead are considerably longer.

Some of the keys start 9& which as I understand means that they did not have a readable VSN so the computer generated an ID for them but the others look like hex strings and end in either $0 or $1 they're just too long.

The three computers are running Windows 7, Windows 8.1 and Windows 10 respectively.

Has windows changed the way it records the VSN in the USBSTOR key in these versions of Windows and if so can the USB device still be identified from these entries?

Cheers  
 
  

Deltron
Senior Member
 

Re: USBSTOR Registry Entries Windows 7+

Post Posted: Apr 25, 17 20:43

Have you check the log C:\Windows\inf\setupapi.dev.log  
 
  

Banjax
Newbie
 

Re: USBSTOR Registry Entries Windows 7+

Post Posted: Apr 27, 17 12:58

- Deltron
Have you check the log C:\Windows\inf\setupapi.dev.log


I hadn't, I've subsequently checked the EMDMgmt key in the registry and run GREP searches for the VSN in hex, both of those came up blank.

I'm looking at the setupapi.dev.log file now but I'm not sure what I'm looking for in there, the manufacturer name (verbatim) doesn't appear in the log but looking at other USB devices installed if one of those entires is a serial number of any kind it's not one that I recognise as a serial number  
 
  

ssstu
Member
 

Re: USBSTOR Registry Entries Windows 7+

Post Posted: May 10, 17 13:30

Hello,

Hope this info helps:

To find out USB Serial Number:

SYSTEM\CurrentControlSet\Enum\USBSTOR

&

SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt

To find out Volume Name:

SOFTWARE\Microsoft\Windows\ Portable Devices \Devices

To find out USB Vendor and Product ID:

SYSTEM\CurrentControlSet\Enum\USB

Volume GUID and Assigned Volume Drive Letter:

SYSTEM\MountedDevices

Time USB First Attached:

SYSTEM\CurrentControlSet\Enum\USBSTOR

&

ROOT\Windows\inf\setupapi.dev.log

Time USB Last Attached after reboot:

SYSTEM\CurrentControlSet\Enum\USB

User Account that mounted volume and Time USB Last Attached:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2  
 

Page 1 of 1