I've been reading small parts of Harlans book (which from what i've read, was worth every penny) and as a test, i'm trying to match an external HDD connected to a machine to a specific drive letter.
I know the external HDD was mounted under drive letter "F", and i know that in the USBStor key the HardwareID value for the related drive reads
"USBSTOR\DiskST3320620A"
The serial number on the sticker of the HDD is "ST3320620A"; so far so good.
However, obtaining the serial number from the MountedDevices key is proving a little trickier. The related entry in this key reads
"\DosDevices\F REG_BINARY 8C 73 F4 D0 00 10 EC 03 00 00 00 00"
I understand that the signature for the drive is represented by the first DWORD - "8C 73 F4 D0" and that a drives signature is located at offset 0x1b8 (or 440 in decimal).
Assuming that i do not have access to the external HDD, how would i obtain the signature so that it literally reads "ST3320620A" from this, thus proving that the external was assigned the drive letter F? Is the drive signature even the same thing as the serial?
I really want a way to link these…
Thanks and bear with me, im a slow student D
i'm trying to match an external HDD connected to a machine to a specific drive letter.
Thanks and bear with me, im a slow student D
You know what ? Me too. This one has taken me a hell of a long time to get to grips with ! The way that I now understand it is as follows ( examples are taken from a 2Gb SanDisk plugged into two Windows XP machines … )
When you plug in a USB device a few things happen
(1) It is recorded in the setupapi.log file …
[2007/09/17 145036 736.14 Driver Install]
#-019 Searching for hardware ID(s) usbstor\disksandisk_cruzer_micro____0.1_,usbstor\disksandisk_cruzer_micro____,usbstor\disksandisk_,usbstor\sandisk_cruzer_micro____0,sandisk_cruzer_micro____0,usbstor\gendisk,gendisk
#-018 Searching for compatible ID(s) usbstor\disk,usbstor\raw
...Taken out for the sake of boredom ...
#I123 Doing full install of "USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_0.1\20052444110CD7F13E94&0".
#I121 Device install of "USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_0.1\20052444110CD7F13E94&0" finished successfully.
(2) It creates the registry entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\ for the device using the device class ID as the title …
Disk&Ven_SanDisk&Prod_Cruzer_Micro&Rev_0.1
under this you get the data that you need. The first thing of interest is the unique instance key this is, and I quote, "either the serial number retrieved from the device's device descriptor, or, if the device does not have a serial number, … an identifier generated by the system itself". This means that if your device has a serial number, then it is the same on all systems, if it doesn't though each system will most likely generate a different one (n.b. if the second character is a "&" then it is system generated ). On both systems I tested on, the number was the same, and the second char isn't an "&", so I guess I have a serial number !
It is under this number that you have obtained your "HardwareID" information from - this isn't the serial number, rather it is similar to the hardware class ID, a generic for all of that type of device, not a specific one … ( I believe … ).
The useful data for linking to a drive letter is the "ParentIdPrefix" it seems. If you make a note of this, in my case
7&1f58f1ce&0
we can move onto part …
(3) Which is the data that is created under the "MountedDevices" registry key. Looking in here, I can see, as you did the \DosDevices\E type things ( mine mounts to E ). You know that it mounted on F so right click on it and select "Modify" - this gives you the HEX Viewer type view of the binary data and you'll get something like …
\??\STORAGE#RemovableMedia#7&1f58f1ce&0&RM#{53f5630d
-b6bf-11d0-94f2-00a0c91efb8b}
Spot the bit that matches up ? Because this was the E key, I can therefore deduce that this was conected to E …
Now into something I'm not so sure about, these DosDevices with drive letters only tell you about the last device that was assigned that letter. The other entries in the MountedDevices key show other device that have been mounted ( in my case, my iPod amongst others … ) as "\??\Volume{etc}" entries. Is there any way of telling what drive these were mounted as once upon a time ?
This answers, I believe, the specific question that you asked. I researched from http//
Thanks for that Azrael, i appreciate the information, however in my case its more complicated
My first problem is that i'm not performing a live analysis here, this is on an imaged drive and so i can't go to "MountedDevices" right click "\DosDevices\F" and select "modify".
The only data i can see relating to this entry is the name (\DosDevices\F) the type (REG_BINARY) and the data (8C 73 F4 D0 00 10 EC 03 00 00 00 00).
My second problem is that the key in USBStor for the external drive i plugged in has no "ParentIdPrefix" entry at all, it also has the drive serial number in the name of the drive and where you would expect to see the serial number (in the next key after this is expanded) there is a key named "2EB8" instead.
To make this totally clear
i expand the USBStor key;
i expand a key under this named "Disk&Ven_ST332062&Prod_0A&Rev_3.AA;
i highlight a key under this name "2EB8" which has values for
DeviceDesc
CapabilitiesUINumber
HardwareID <————— (oh yeah, as mentioned in my first post, this also has the HDD serial no. in its value)
CompatibleIDs
Service
ClassGUID
ConfigFlagsDriver
Class
Mfg
but no "ParentIdPrefix" is there at all.
I'm stumped as for doing it the "ParentIdPrefix" way, and do not understand why this device does not have a value for this cry
If i can get the serial number from the MountedDevices entry for this device (if it is even in there, as i mentioned i know the HDD signature is but i don't know if this is the same as the serial), then maybe i could still show that this device WAS assigned this drive letter.
Thanks again, i really appreciate any more input.
I've been reading small parts of Harlans book (which from what i've read, was worth every penny) and as a test, i'm trying to match an external HDD connected to a machine to a specific drive letter.
I know the external HDD was mounted under drive letter "F", and i know that in the USBStor key the HardwareID value for the related drive reads
"USBSTOR\DiskST3320620A"
The serial number on the sticker of the HDD is "ST3320620A"; so far so good.
However, obtaining the serial number from the MountedDevices key is proving a little trickier. The related entry in this key reads
I think part of the problem here may be a mixing of terminology. Your subject line suggests that you're looking for a drive signature, which you get from the MountedDevices key easily, as you've pointed out. However, the body of your post (above) says that you're looking for the serial number, which is something different.
I understand that the signature for the drive is represented by the first DWORD - "8C 73 F4 D0" and that a drives signature is located at offset 0x1b8 (or 440 in decimal).
Assuming that i do not have access to the external HDD, how would i obtain the signature so that it literally reads "ST3320620A" from this, thus proving that the external was assigned the drive letter F? Is the drive signature even the same thing as the serial?
I really want a way to link these…
First off, the "ST3320620A" is really more of a model number. To get the serial number of the external HDD from the Registry of the system you're examining, check out pg 156, figure 4.13.
HTH,
H
Thanks again, i really appreciate any more input.
Ok, I see your point, and of course USB HDD are different to thumb drives anyhoo, so what I gave you is of limited use …
I've not got an external USB drive to test any of this with, but reading through some notes that I have on it, the disk signature that you are looking to match in that data "8C 73 F4 D0" is contained on the disk itself at offset 440d of physical sector 0 of the drive.
A few pointers to mind though
The signature in the registry is BIG ENDIAN and on the disk is LITTLE ENDIAN.
And …
If the signature starts with leading 00h it gets truncated.
e.g. signature on disk is ABh CDh DEh 00h it will read DEh CDh ABh in the registry, losing the 00h …
…
It also seems that this data will show in the setupapi.log if you have that info available that in the "Device install of" line towards the end of the correct section, you will find a string that contains "&SIGNATURE..<data>..OFFSET..<data>..LENGTH..<data>".
The "SIGNATURE" here will match your drive signature, the "OFFSET" is offset to volume boot record and the "LENGTH" is the number of bytes in the partition ( leading zeros truncated again … )
…
I hope this is more useful than my first post ! -P
Azreal,
> …reading through some notes that I have on it, the disk signature that you
> are looking to match in that data "8C 73 F4 D0" is contained on the disk
> itself at offset 440d of physical sector 0 of the drive.
Just an FYI, my friend…the OP stated in his first/original post
"…I understand that the signature for the drive is represented by the first DWORD - "8C 73 F4 D0" and that a drives signature is located at offset 0x1b8 (or 440 in decimal)."
Unfortunately, there seems to be quite a bit of confusion here, b/c the OP seems to be asking for two different things, using terminology interchangeably when it isn't. Oddly enough, the OP has already located the device's serial number, per
"…i highlight a key under this name "2EB8" which has values for…"
😉
Azreal,
> …reading through some notes that I have on it, the disk signature that you
> are looking to match in that data "8C 73 F4 D0" is contained on the disk
> itself at offset 440d of physical sector 0 of the drive.Just an FYI, my friend…the OP stated in his first/original post
"…I understand that the signature for the drive is represented by the first DWORD - "8C 73 F4 D0" and that a drives signature is located at offset 0x1b8 (or 440 in decimal)."
Unfortunately, there seems to be quite a bit of confusion here, b/c the OP seems to be asking for two different things, using terminology interchangeably when it isn't. Oddly enough, the OP has already located the device's serial number, per
"…i highlight a key under this name "2EB8" which has values for…"
😉
Good point … I got confused and went off on a little bit of a tangent there ?
So as far as I can see Add0 has
The drive signature 8C 73 F4 D0
The drive serial 2EB8
A MountedDevices entry for F for that drive signature.
We are never going to get anything from MountedDevices that matches "ST3320620A" because this is the model reference, not anything else. But this does show up under the USBStor entries, becuase … well, because it does. And should also be in the setupapi.log, if it is available.
Is there a way to link the serial to the signature ? For example perhaps in the setupapi.log ?
( Oh, and a small aside it's ae not ea in Azrael -P )
We are never going to get anything from MountedDevices that matches "ST3320620A" because this is the model reference, not anything else.
As I said yesterday
"…First off, the "ST3320620A" is really more of a model number…"
Is there a way to link the serial to the signature ? For example perhaps in the setupapi.log ?
Yes, there is…and like everything else, we've already covered it a couple of times in this thread. 😉
As I said yesterday
"…First off, the "ST3320620A" is really more of a model number…"
S'ok, I was sumarising -)
Yes, there is…and like everything else, we've already covered it a couple of times in this thread. 😉
I assume that you mean in the forums, as I don't really see any relationships linked in this thread …
I've been back through a few of the other postings, and I can't find a clear mention of it, although in one of them http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1222 you develop a tool that seems to show both in the output. This is running against the drive while it is connected though, and doesn't help in the case of our OP, who doesn't have the drive ? Could you point me to the right thread please ?
It's not really all that great a leap…just go back through *this* thread and think about what is here.
Tell you what…I'll see if I can find my spoon, and maybe I'll post something on my blog later…
H