Anyone - I keep reading that \SYSTEM\MountedDevices is where you find Drive letters. But in the image I've been discussing here there are 35 entries most of which begin \??\Volume. And on my own live system there are 83 such entries before the \DosDevices\A etc start (they're all listed at the bottom). Sorry if it's a dumb question, but is there a way of mapping the \??\ entries to drive letters? I've checked in Windows Forensic Analysis and Google'd it to death, also checked this forum but no joy
XP - SP2 and SP3 BTW
The best guide I've found for basic registry Forensics (including mounted devices) is Lih Web Wong's paper "Forensic Analysis of the Windows Registry" - its worth a look for a good intro.
In the list under Mounted devices, you should see
\??\Volume{Whatever} with a Data value os x.
You should also have several entries for
\DosDevices\A with a Data value of x.
If you match the two values of x, you can find the corresponding drive letter for the volume. Note this isn't necessary a 1-1 relationship, since the same device could have been mapped to different drive letters.
…is there a way of mapping the \??\ entries to drive letters? I've checked in Windows Forensic Analysis and Google'd it to death, also checked this forum but no joy
XP - SP2 and SP3 BTW
Sure…just find the \??\Volume entry that has the same data as your \DosDevices\ entry.
Piratefrog, Harlan - thanks! Doubtless this is in WFA Harlan but I musta missed it somehow
D
Cults,
Sorry, but I can't put everything in the book. I have to be honest, I had never heard that question before, and would not have thought to include it by the time the manuscript went to the publisher for printing.
No problem, thanks again