Not Sure if this question has been answered or not yet so bear with me.
The current case I am working on, we have a suspects computer running XP. The computer has system restore turned on. During the most recent restore point, the "drivetable.txt" file lists a "F" drive.
F\/\\?\Volume{abcdefgh-ijkl-mnop-qrst-uvwxyz123456}\ 29 0 18310 WD Passport
Obviously the make and model of the drive are there (WD Passport), but how would I go about determining the serial number. Is this something that is stored in the registry. Is the serial number part of that volume identifier?
I changed the actual numbers there just in case it actually had the serial number in it.
Any help would be greatly appreciated
Quite a bit of information about attached USB devices is stored in the Registry Key HKLM\System\CurrentControlSet\Enum\USBStor
There are a number of posts on the forum regarding this key. Search the forum for USBStor.
Matt,
There's a book that covers this exact information…"Windows Forensic Analysis". Chapter 4 is on Registry analysis, and covers USB-connected devices in detail, to the point of telling you the first and last time the device was connected, as well as how to locate the serial number of a USB-connected removable storage device (ie, thumb drives).
With external HDDs, such as what WD is well known for, you can get the drive signature.
Check it out.
Harlan
Thanks,
Totally slipped my mind when i asked the question. I actually already own your book Harlan. Bought it a month or so ago, been so busy I haven't had time to read it though. Will start immediately.
As far as determining the Serial #, I used
I know this may be a long shot, but is there anyway now to try and see what may have been copied off of the target computer onto this ext HDD?
Thanks again,
Matt
> I know this may be a long shot, but is there anyway now to try and see
> what may have been copied off of the target computer onto this ext HDD?
I think that if you really think hard, you'll figure that out.
H
Oh I am thinking alright.. But I'm drawing a blank. I would assume the answer is no, as it's something that would make my job ever so much easier.
Obviously I will be able to match the files once we attempt to seize this ext hdd, but if we cannot I would still like to be able to prove that certain documents were copied out.
I've gone through every log I can think of, but nothing seems to spark as far as possible ideas on how to do it.
I'm planning on reading your book tonight, espescially focusing on chapter 4, but If there is a section in it now that describes anything like this, It would be greatly appreciated if you could point it out.
Im not just looking to steal your answers here. I would rather I found out on my own and practice it, but when time is of the essence, I will take all the help I can get.
Thanks
Matt
Look for .lnk files )
> I would rather I found out on my own and practice it
Okay, but that's the really easy part. Remember, you asked "…is there anyway now to try and see what may have been copied off of the target computer". So, try it. Copy some files off a system onto a thumb drive. See any "evidence" created? Shortcut files? How about if you run FileMon at the same time…see anything that looks like a log being created?
And to Alan…
> Look for .lnk files
And what would that accomplish? I've tried drag-and-drop, 'copy' and 'move' commands, etc., and I don't see any LNK files created as the result of copying files from a system to a thumb drive (which is what Matt is asking about).
Thanks,
H
And what would that accomplish? I've tried drag-and-drop, 'copy' and 'move' commands, etc., and I don't see any LNK files created as the result of copying files from a system to a thumb drive (which is what Matt is asking about).
But it is a place to look for possible evidence. If the user had already copied them off, then opened them from the flash drive directly after the copy or in a subsequent session, a .lnk would be created showing the path to the thumb drive.
> But it is a place to look for possible evidence.
And you can say that about pretty much anything, too, and end up spending a great deal of time…well, wasting it really.
> If the user had already copied them off, then opened them from the flash drive directly
Sure, you'd get the path with the filename, but that isn't what the OP asked; ie, "…is there anyway now to try and see what may have been copied off of the target computer…"
H