Drive letter changes

I have a case where a USB device was inserted at 1PM and given drive letter "F" and then at 105 PM another USB device was inserted and given drive letter "F". Does this mean that the first device was removed? Where does the registry track manual drive letter changes - or does it?

Thanks

Yes/No.
For USB Windows NT based systems (a GUESS since you did not provide this info) available letters are assigned by the system "automatically".
Normally when you insert a USB device it gets first available letter(s), but drive letters can be also managed "manually", and this is not "tracked".
It is only "logical" that to be assigned to a new device a drive letter needs to be available at the moment the device is automatically assigned a drive letter (insertion of USB device) but you have not a gurantee that something like
http//www.petri.co.il/change_system_drive_letter_in_windows_xp.htm
has not been performed.

BUT what is in SETUPAPI.LOG (if applicable)?
See
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=6443
There might be #I289 and #I048 which could give you the answer.

IMHO, from the data you provided
What you can say without doubt is that after 100 and before 105 the drive letter "F" was unassigned and became available to be assigned to the new USB device.
It is likely that first device was removed before the new one was connected.

jaclaz

Well, it would be a real "incident" if Windows assigned the same drive letter to two different devices 😉 thus I'd say the other should have been removed. However, as jaclaz noted, if a Windows user was capable of running diskmgmt console, one cannot exclude he changed the assigned drive letter manually and then connected another device.

Well, it would be a real "incident" if Windows assigned the same drive letter to two different devices 😉

Not really … I see that perhaps every other month or so, though I have not been able to reproduce the problem on another platform.

In my ase, it seems to involve a) a USB mass memory device which has been connected and been assigned a letter X, and b) a CD/DVD or other removable media device which has previously been connected to the system and then been assigned device letter X.
Sometimes, when I connect the removable media device, the current x device is lost, and the new device replaces it. When it is disconected, the old device reappears under the same letter. In some cases, I get an error – 'please insert device …', referring the still connected but seemingly 'lost' USB stick. I've never see in go the other way – i.e. losing a USB DVD reader when an USB stick is inserted.

I suspect that some special CD/DVD driver may be involved CloneCD or Alcohol or something like that, but I have not been able to repeat it. Perhaps USB-related drivers for VMWare or VirtualBox or such are part of it. At present, I can't rule out that the phase of the moon isn't involved.

No virtual devices, all hardware. No virtual computers, all standard platform. I've seen it both on XP and lately on 7.

But as regards the present thread – can the USB receptacle that the USB device was connected to be identified? That might help.

I suspect that some special CD/DVD driver may be involved CloneCD or Alcohol or something like that, but I have not been able to repeat it.
Perhaps USB-related drivers for VMWare or VirtualBox or such are part of it. At present, I can't rule out that the phase of the moon isn't involved.

Only on Frydays and on months with an "r". wink

Seriously when you connect a "physical" USB device to a Virtual Box VM, the device "vanishes" from the tray app for "Safe Removal" AND it disappears from Explorer 😯 (which BTW sometimes uses Registry Key MountPoints2), see this for a "horror story"
http//www.msfn.org/board/topic/141754-ghost-partition-appearing-at-every-boot/

Completely unrelated, but not that much, when it comes to virtual drivers (which BTW both CloneCD and Alcohol are), *anything* and the opposite of *anything* is possible.
See here for various attempts
http//www.msfn.org/board/topic/123929-updated-batch-file-for-ordering-drive-letter-shifting/
http//www.msfn.org/board/topic/124539-more-compatible-batch-file-for-ording-drive-letters/
http//www.msfn.org/board/topic/125992-switching-and-rearranging-drive-letters-utility-for-windows/

jaclaz

Thank you for your replys!

The machine in question was a Vista machine and it was the first time that either drive had ever been inserted into the computer, per the setupaip.dev.log.