No parentidprefix on USB Flash device

What about link files, do they provide any help?

I'm in the process of writing an open source link file parser. If you want to pm me, I'll provide you with an email address and you can send me all the link files on the system. I'll return a CSV file and a text file with ALL (and I mean ALL) the data that the link files contain.

If you don't fancy that, then there are a number of tools that will do the trick. I would recommend Linkalyser from Sanderson Forensics

Paul

Paul, thanks for that but I already got LinkAlyzer and Harlan's lslnk tool. That's how I know that files were accessed on a couple of external devices.

I've got one of them sorted out but this one's got me stuck. FYI, there are two devices referenced by Linkalyzer and lslnk, one of them is only referenced once and it's the one I'm stuck on.

The folder it refers to is "D\Marketing Plan" which is not the kind of stuff we want residing on the thumb drive of a guy who's gone to the competition. We could write to the guy right now telling him he has to cease & desist with any of our confidential information, but experience thus far is that it packs a bigger punch if we can quote a specific device. Most folks don't know we can pin it down that far.

Cheers

VID/PID is Vid_090c&Pid_1000, allegedly a Feiya Technology Corp. Flash Drive (http//www.linux-usb.org/usb.ids),

NO. roll

The list of id's on that page is often wrong, deceiving or both. ?

As a "only" reference it is worthless.

090c/1000 is the "generic" Vid/Pid of SMI based devices.

It could be almost *anything* (and the opposite of it 😯 ) .
Go here
http//flashboot.ru/index.php?name=iflash
and search for 090c/1000 and you'll see what I mean.

The site is in Russian, but you can get the needed info allright.

jaclaz

Jaclaz - thanks, useful information. Babelfish to the rescue for some parts of that site )

But I still have the challenge of trying to identify this device without a parentidfprefix…………

Or am I still missing something?

Regards

Or am I still missing something?

Tough to say, sometimes you cannot find data simply because it isn't there. ?

You can try checking for the SETUPAPI.LOG, double check
http//www.forensicswiki.org/wiki/USB_History_Viewing
and try
http//nabiy.sdf1.org/index.php?work=usbHistory

jaclaz

I did a quick Google search and I think I may have found something that may address this issue…apparently, several folks are indicating that on some Linux systems, some Feiya flash drives are recognized as digital audio players or as a music player.

I'd recommend taking a look at the setupapi.log file and seeing how the device is reported there. Perhaps the reason that the device doesn't have a ParentIdPrefix value is that it wasn't recognized as a device that required one.

Did the device show up under the DeviceClasses subkeys for Disks and/or Volumes?

Thanks Harlan, will have to get back to you on this on Thursday - damn time differences!

Regards

Don't worry about having to get back to me…it was just a suggestion for you.

OK, from setupapi.log, this appears under the first date/time entry for the device
#I320 Class GUID of device remains {36FC9E60-C465-11CF-8056-444553540000}
Meaning Class = USB, right

8 seconds later is another date/time entry for the device with the following
#I320 Class GUID of device remains {4D36E967-E325-11CE-BFC1-08002BE10318}
Meaning Class = Disk Drive, right?

Searching in system\ControlSet001\Control\DeviceClasses\ for the device serial number finds it in \\……\{53f56307-b6bf-11d0-94f2-00a0c91efb8b

Now, a further 5 seconds later there's an entyr (final one in setupapi) for
#I320 Class GUID of device remains {71A27CDD-812A-11D0-BEC7-08002BE2092F}, finishes successfully with
#I121 Device install of "STORAGE\VOLUME\1&30A96598&0&SIGNATURE2E9D142DOFFSETB000LENGTH3C3F5000" finished successfully.

Which by my reckoning is about a 1GB storage volume. All very interesting, but I'm still no further forward in identifying my "rogue" device though.

If anyone can point me in the right direction I'm hapy to go ferret around on my own