MountedDevices and ...
 
Notifications
Clear all

MountedDevices and Drive Letters

6 Posts
3 Users
0 Reactions
3,582 Views
(@cults14)
Reputable Member
Joined: 17 years ago
Posts: 367
Topic starter  

Anyone - I keep reading that \SYSTEM\MountedDevices is where you find Drive letters. But in the image I've been discussing here there are 35 entries most of which begin \??\Volume. And on my own live system there are 83 such entries before the \DosDevices\A etc start (they're all listed at the bottom). Sorry if it's a dumb question, but is there a way of mapping the \??\ entries to drive letters? I've checked in Windows Forensic Analysis and Google'd it to death, also checked this forum but no joy

XP - SP2 and SP3 BTW


   
Quote
(@piratefrog)
Eminent Member
Joined: 15 years ago
Posts: 20
 

The best guide I've found for basic registry Forensics (including mounted devices) is Lih Web Wong's paper "Forensic Analysis of the Windows Registry" - its worth a look for a good intro.

In the list under Mounted devices, you should see

\??\Volume{Whatever} with a Data value os x.

You should also have several entries for

\DosDevices\A with a Data value of x.

If you match the two values of x, you can find the corresponding drive letter for the volume. Note this isn't necessary a 1-1 relationship, since the same device could have been mapped to different drive letters.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

…is there a way of mapping the \??\ entries to drive letters? I've checked in Windows Forensic Analysis and Google'd it to death, also checked this forum but no joy

XP - SP2 and SP3 BTW

Sure…just find the \??\Volume entry that has the same data as your \DosDevices\ entry.


   
ReplyQuote
(@cults14)
Reputable Member
Joined: 17 years ago
Posts: 367
Topic starter  

Piratefrog, Harlan - thanks! Doubtless this is in WFA Harlan but I musta missed it somehow

D


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Cults,

Sorry, but I can't put everything in the book. I have to be honest, I had never heard that question before, and would not have thought to include it by the time the manuscript went to the publisher for printing.


   
ReplyQuote
(@cults14)
Reputable Member
Joined: 17 years ago
Posts: 367
Topic starter  

No problem, thanks again


   
ReplyQuote
Share: