H,
Ok, if it is here - give me a bit more time and I'll see if I can crack it ?
Kind Regards.
Az
H,
We don't have the drive itself, as stated in the first post, so mapping the actual drive signature from it is impossible.
This leaves us with a \DosDevices\F that references a drive signature (8C73F4D0) that we have to map to the USBStor section in some way. Expanding the keys under this gives us the drive serial (2EB8), but no other information about the drive signature.
There is no ParentIDPrefix in either USBStor or MountedDevices, so this is a no go route.
This leaves us only with the setupapi.log file. Now from this, I know that we can get the signature (8C73F4D0) again, as it is in the "Device install of" line that I mentioned above. So from the setupapi.log, I know that a device of a given type (ST3320620A) has been installed, with this signature. And if I look in the USBStor, I can match the type to the drive serial (2EB8).
Ok, so that links the two, but what if there are two USB HDDs of the same model ? Each of them will have the same type but different signatures, and different serials. In this case I would know that one of them had been mounted as F, but I don't think that I would be able to definitively say which one from the USBStor entries corrolated with the setupapi.log.
Or am I still missing the true link ? I know that it refers to thumb drives, but in your blog you said the following
"But if you do not have the thumb drive, is the volume serial number useful? It doesn't appear to be so, as the volume serial number does not seem to be stored in any location (key or value) within the Registry that I can locate at this time."
and also
"I even checked the disk_install and volume_install entries within the setupapi.log file, and found no specific reference to the volume serial number at all."
Is this true of USB drives as well ?
Thanks - I do really appriciate your time.
Az