Link file, Volume serial number and external USB

I have a link file that reports the Volume Serial Number of an external drive (E removable). I am trying to understand as much information regarding what kind of device was (brand, model, etc).

I am not sure to understand what you mean by "link file", nor how you determined that the contents of it refer to a Volume Serial Number.
Also which OS?
In NT based systems drive letters are not assigned through Volume Serial Number, but rather through disk signatures and partition offset for partitioned type devices (i.e. those that have a MBR)
http//www.911cd.net/forums//index.php?s=&showtopic=19663&view=findpost&p=130963
but if the device is removable, then things become different and the volume GUID is used.

What exactly did you use to check the Registry (and the SETUPAPI.LOG) for connected USB devices?
What did you find in there?
Windows defaults to assign to a newly inserted volume the first free drive letter, so, yes, it is possible that if different devices are connected one by one to a same system they all get drive letter (say) E , but the related keys in the Registry USBSTOR should still hold some info on the device, namely it's (controller) serial, not the volume one
http//www.forensicswiki.org/wiki/USB_History_Viewing

jaclaz

I mean a LNK file
OS is XP
Setupapi.log is missing (Unusual)

The problem is E is the first letter available (C is the OS, D is the CDROM) so I am sure every time an external drives is connected to the system it gets assigned to E.

So the situation is

I have 20 LNK files referring to E\path\name-doc with ABCD-EF12 as Volume Serial
I have 5 LNK files referring to E\another-path\name-doc with 5678-9XXX as Volume Serial
I have 1 LNK files referring to E\another-path\sensitive-doc with XYZV-1234 as Volume Serial

Is there a way what was the Device the had the last file?

Is there a way what was the Device the had the last file?

No, but maybe making a timeline crossing the .lnk file created/modified/accessed times (and internal timestamp) with the data in the USBSTOR related keys in the Registry you may infer something, see
http//www.forensicfocus.com/link-file-evidentiary-value
and/or possibly you could add to this the info you can gather from shellbags
http//digital-forensics.sans.org/blog/2008/10/31/shellbags-registry-forensics
http//digital-forensics.sans.org/blog/2011/07/05/shellbags

jaclaz

I have a link file that reports the Volume Serial Number of an external drive (E removable). I am trying to understand as much information regarding what kind of device was (brand, model, etc).

I have read a lot of material regarding how to associate USBSTORE[sic] with mounted device but it's not clear how can I prove the connection between a link file and a removable drive if every time the user plugs in a removable device the system assigns the letter E….

Is the Volume Serial Number stored somewhere in the registry?

On XP, no. On Win7, you can extract the VSN from key names found beneath the EMDMgmt key, found in the Software hive.

What you can do, however, is create a timeline of system activity that incorporates

- file system metadata, particularly that of the LNK file in question
- Registry key LastWrite times (System hive in particular, although adding the Software hive may prove useful; you'll also need to incorporate the NTUSER.DAT from the user profile in quiestion)
- Event Logs

Once you get this timeline set up, you shouldn't have any trouble nailing down the specifics about the device (make, model, S/N) that you're looking for.

HTH. Let me know if there's anything I can do to assist. Most of the tools you'll need, and the process, are covered in the timeline analysis chapter of "Windows Forensic Analysis Toolkit 3/e".

Hi Guys,

I have an issue where the volume names are the same but the volume serial numbers differs between the different LNK files.

Anyone encountered this before?

Thanks!

Hi Guys,

I have an issue where the volume names are the same but the volume serial numbers differs between the different LNK files.

Anyone encountered this before?

Thanks!

Define "volume name".
Do you mean "volume label"?
Or "drive letter/path"?
Or "something else"?
Which OS?

If you mean same drive letter but volume serial number different, it is EXACTLY what the OP is about. ?
In what way your issue is different?

jaclaz

Hi,

I meant Volume Label.

The Volume Letter and Volume Label is consistent.

But the Volume Serial Number changes between the LNK files.

Hi,

I meant Volume Label.

The Volume Letter and Volume Label is consistent.

But the Volume Serial Number changes between the LNK files.

Yep, but that is common enough in "normal" IT, I mean - only as an example - you have two external hard disks, that you use alternatively for backup purposes, you label both of them "Backup" or "Data".

The Volume Label is easily user-modifiable.
The Volume serial it is hardly so, as it is automatically generated at format time, unless the user has "advanced" kneowledge and manually changes it or the disk or volume is a cloned one you won't easily find two volumes with the same serial.
The Volume drive letter is normally automatically assigned by the OS, and it usually corresponds to first free drive letter, as said, on a normal computer with already a C and D assigned the first eternal disk/volume will always or nearly always E.

So I wouldn't be particularly surprised to find a number of different (different volume serial) disks or sticks with the same (possibly "generic", like the mentioned "Data", "Backup" or "Storage", "Games", etc.) volume label.

Of course if the labels you found are *like* "Vol_12345" or "My_nice_#2" (i.e. pseudo-unique) it would be slightly more queer, but - still say - another scenario would be that the first device (with the pseudo-unique label) has been lost and the user created a new one with the same label, and never used/updated the shortcuts to the "old" device.

jaclaz

This helps. Thanks for the comprehensive explanation!