Hi, hope someone out there can help. I'm an internal corporate resource. I'm looking at a disk image where a number of external USB devices have been attached, ranging from floppies (honest) through CD-ROM drives and cameras, a Blackberry, thumb drives (standard and U3), to external hard drives.
The user's Recent Documents refer to some files that I'm interested in, I use Harlan's lslnk to establish that the original files were on drive F
BUT I can't see any way of correlating the 8-character Windows Serial number with the actual serial number of any device. In the case of removeable media, I THINK I can work out device specifcs using Parent ID Prefixes and Volume GUIDs, but I'm stumped if it's an external Hard Drive.
In this particular case, the drive is parsed(?) by lslnk as "Expansion Drive" which is typical of Seagate's range in which case I'm home and dry in that there's only one Seagate product listed in \System\ControlSetxxx\USB\Enum\USBSTOR. But I will check timestamps!!
Needless to say, all I have is the image, and not all the media!! Any assistance welcome, will working on this after the weekend.
Okay, it sounds like what you're trying to do is determine which external device was mapped to the F\ drive, so you can determine which device the document/file (target of the .lnk file) was stored on.
This isn't something that's easy to do…
BUT I can't see any way of correlating the 8-character Windows Serial number with the actual serial number of any device.
I think what you're referring to is the volume serial number, which does not map directly to the device's serial number, which is found in the device descriptor.
I have yet to find a location in the Registry where volume serial numbers are stored. A disk's drive signature can be found int he MountedDevices key, but that's not what you're looking at. The volume information I have found to be available doesn't contain the volume serial number, b/c it can change (format the volume).
…\System\ControlSetxxx\USB\Enum\USBSTOR. But I will check timestamps!!
The LastWrite times for the USBStor subkeys are not what you need to look to in order to determine when the device was last plugged into the system.
HTH.
What are you trying to establish? The precise details of the device that was connected? If you establish this how will it assist - do you know the owner/assignment of the devices?
There are ways of bring it all together using evidence in the LNK files, change logs, restore point files, registry etc. but I'd prefer to know what you are trying to do as I may be able to advise you better where to get the information from.
Kind regards
I tend to agree with Sam, what are you trying to show? You are missing a vital piece of evidence and any conclusion that you come to based on what you have is incomplete.
Have you examined the system restore points or shadow files in case your documents of interest have been acquired? Have you performed an OLE data carve? Would this help you in any case?
Guys,
I got the impression from what the OP said that he's looking to tie a drive letter (and volume serial number) that was found in Shortcut file metadata to an actual device; ie, was F\ this thumb drive or that external HDD?
Please correct me if I'm wrong, Cults…
Keydet, yes, that was also my impression. I was more interested in the reason for this since he also states the media isn't available. He may have to do a fair amount of analysis to be able to state "A Seagate drive (ID info ***) was connected to the computer between ** - ** and when it did *." Hence, why I am asking if it actually matters what device was connected (assuming he is potentially unable to attribute a device to a particular party etc.) or if it would actually suffice to state that external device(s) were connected and used to steal IP (or whatever the investigation) in violation of X 'unchallengable' security policy etc.
I'd like to know the specifics of what he is trying to achieve before writing a long reply if he hasn't done anything like this before or if it isn't going to be useful to his overall investigation aim.
Kind regards
Harlan's right, I want to know which device file-x was on.
Samr - as you quite spookily surmise, reason is that this ex-employee is suspected of copying confidential information. He had legit access whilst in our employment, but not to save externally.
He bought some devices himself but then claimed them back on expenses, so they belong to us. If the files were on devices which didn't belong to us, we'd want to know why, and the legal folk will probably send a strop-o-gram to him and his new employer reminding them of their IP responsibilities in general and with regard to specific files we know about.
I'm off the hook in this case as I can establish from timestamps on the RecentDocs (from Harlan's utility and LinkAlyzer) that there's only one external hard drive which could have been used.
But if there had been more than one I'd have been stumped. Due to the sporadic nature/frequency of my involvement in these types of cases it's probably not worth going into detail on potential solutions. We're reasonably happy that if we've preserved the evidence (which we do) and I take things as far as I can, we can call in a outside party to finish the investigation.
Will put up another post regarding MountedDevices though.
Thanks for your input as always
Regards
Cults14 - I've been in this job too long )
It's pretty tricky to tie down activity to certain devices particularly when a lot of devices have been used in the computer and its significant when the device was plugged in, when the files were copied and when the deivce removed (places a b*m on a very important networked computer's seat!). Hence, why I didn't want to go into it all if it would suffice that a particular device was inserted and used to read files )
One of the first cases I researched this for was a case proposing a drive had been connected to a computer for 2 months and used to copy all different kinds of things. I went through lots and lots of files and found it was only connected twice, once for 1 1/2 hours where 70ish files were copied and the other it was connected for about 20 minutes when files were deleted. A very different picture! I love such cases - makes a great investigation and certainly gets the old cogs turning.
Glad you got it sorted.
Kind regards
Cults,
Do you know which OS was on the system you're analyzing?
Keydet - according to \SYSTEM\Microsoft\WindowsNTCurrentversion it's XP Pro SP3
Samr - I'd love to get to the stage of being able to do that stuff but as a part-timer with limited time for study/research I don't see it happening any time soon. Mebbe I'll get there someday.