Identifying Hard Dr...
 
Notifications
Clear all

Identifying Hard Drive Enclosures in Win7

4 Posts
3 Users
0 Likes
203 Views
(@cults14)
Posts: 367
Reputable Member
Topic starter
 

Feels like a dumb question - but is there a quick way to identify USB Drive enclosures from thumb drives in Win7?

To expand, I was looking at a system where I knew that I had connected a Buffalo USB HDD to a system and that it was the last device connected, but it didn't appear in \SYSTEM\CurrentControlSet\Enum\USBSTOR as a a Buffalo device. In fact, it appeared as an unbranded device (also in setupapi.dev.log). It does appear on my system as a Buffalo device.

If this had been a system or image that I had no prior knowledge of, I wondered how I might find out quickly if - and how many - USB HDDs had been connected to a system. I THINK I've worked out that in setupapi.dev.log the final part of a USB HDD install will include the text
"[Device Install (Hardware initiated) - STORAGE\Volume\{"

And it's possible to work from there - 'ish!!

Anyone with any thoughts?

All systems are Win7 Enterprise SP1

Cheers

 
Posted : 09/09/2013 8:43 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Feels like a dumb question - but is there a quick way to identify USB Drive enclosures from thumb drives in Win7?

I am not sure to understand the question.

For all windows knows there is no "real" difference between a USB stick or a USB Hard disk.

What Windows sees is a USB Mass Storage controller, which may - for all windows knows - have on the other "side" any of

  • a flash chip
  • a hard disk
  • a SSD
  • a CF card or SD card
  • etc.

Actually controllers used in hard disk (or SSD enclosures) will have been set in factory as "Fixed" whilst those used in USB sticks or Card bridges are normally set to "Removable", but this can be usually "fipped" using the appropriate (Manufacturer's) tool.

The "description" of the device may be of use, such as (simplified output on my system)

(1) — Generic USB CF Reader USB Device
(2) — Generic USB MS Reader USB Device
(3) — Generic USB SD Reader USB Device
(4) — Generic USB SM Reader USB Device
(5) — Jaclaz USB Flash Disk USB Device
(6) — SAMSUNG HD320KJ USB Device

But just like I modified the "Jaclaz USB Flash Disk USB Device" using the appropriate tool, it is possible to write to it *something* else.

You can use the Vid/Pid of the devices, but they are often "aleatory" or however not useful, sas they can e as well "forged"/"faked" or however changed by the Manufacturer, or the "brand" or even - through the sae Manufacturer's tool - by a final user.
As a side note, and JFYI
http//reboot.pro/topic/1659-usb-vendor-ids-how-to-find-manufacturer/

There are a couple nice tools to quickly view the history of USB connected devices
http//www.nirsoft.net/utils/usb_devices_view.html
http//sourceforge.net/projects/usbhistory/
http//rohit-nair.blogspot.it/2008/09/usb-history-gui.html

See also
http//www.forensicfocus.com/Forums/viewtopic/t=10186/

jaclaz

 
Posted : 09/09/2013 9:07 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

When you are talking hard drive enclosures, wouldn't windows simply detect the hard drive contained within (Seagate, WD etc) and not so much identify the company that badged up the enclosure itself (WD, Buffalo etc)

 
Posted : 10/09/2013 6:13 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

When you are talking hard drive enclosures, wouldn't windows simply detect the hard drive contained within (Seagate, WD etc) and not so much identify the company that badged up the enclosure itself (WD, Buffalo etc)

AFAIK not necessarily, it depends on the specific controller and how the controller has been specifically setup.
If you have a "generic" USB hard disk enclosure, it will surely have the hard disk name "pass through", for the "big brands" not always so.

jaclaz

 
Posted : 10/09/2013 2:08 pm
Share: