Hello all,
I have been presented with 2 dd images. One of a laptop hard drive and the second of a USB thumb drive. The question is how can I confirm if the thumb drive has been inserted into the laptop? The USB thumb drive is no longer available. I understand the various USBSTOR and MountedDevices registry key entries but I don't know how to get a unique id of the USB thumb from the image of the thumb drive to compare to the registry entries.
Thanks
-Mark
Mark,
> I don't know how to get a unique id of the USB thumb from the image of the thumb drive
You can't. As mentioned in "Windows Forensic Analysis", the device descriptor is not part of memory and is therefore not part of what's acquired.
However, you might try matching up the volume serial number from the image of the USB drive to Registry entries on the system.
HTH,
h
Thanks Harlan … you truly are the "registry man" . I thought that I knew the answer (it's not there) and actually had the attorney tell me that it was definitely in the image and that made me hesitate. Before I went out on a limb and stepped on myself I need some confirmation … yours is certainly top of the credibility totem pole.
BTW - we did get lucky and found a few lnk files that we could match up to the volume serial number and therefore determine that this USB device was inserted into to the laptop. Thanks to you and Lee Whitfield for that suggestion.
You're very welcome…
Lee
Besides volume serial, IF the stick was set as "fixed" and "made bootable" with a MBR on it, it may be possible to find the disk signature.
Though it is very rare that the above happens, 99.99% (read ALL) of sticks are set as "removable" in factory.
As well it may be possible to find something about the device description in mounteddevices, in some cases this remains "sticky" even when the when the device is removed/unmounted, but this only says (IF found), that a given stick "model" has been mounted….not the specific stick of that model.
See this seemingly unrelated thread
http//
and this
http//
jaclaz
However, you might try matching up the volume serial number from the image of the USB drive to Registry entries on the system.
HTH,
h
hey man
would it be ok if you told us how to do this? *many thanks*
jaclaz,
Besides volume serial, IF the stick was set as "fixed" and "made bootable" with a MBR on it, it may be possible to find the disk signature.
To be accurate, a volume signature (not serial) is not necessarily unique; it's created by Windows when the volume is formatted. The volume signature is part of the memory area and not part of the device descriptor.
As well it may be possible to find something about the device description in mounteddevices,
Can you elaborate on where?
…in some cases this remains "sticky" even when the when the device is removed/unmounted, but this only says (IF found), that a given stick "model" has been mounted….not the specific stick of that model.
Windows Forensic Analysis describes how to map the device class and the unique instance ID to the MountedDevices key entries…
HTH,
h
Dan,
However, you might try matching up the volume serial number from the image of the USB drive to Registry entries on the system.
HTH,
h
hey man
would it be ok if you told us how to do this? *many thanks*
Sure.
Within the image of your USB drive (not a thumb drive, but an actual USB-connected external drive), locate your volume serial number. Then go to the MountedDevices key in the Registry of the host system you're analyzing, and locate the \\?\Volume{GUID} value that contains that volume serial number in the first DWORD of the data.
You may get lucky and also find a DosDevices value that also contains the serial number in its data, as well.
Does that help?
h
Dan,
However, you might try matching up the volume serial number from the image of the USB drive to Registry entries on the system.
HTH,
h
hey man
would it be ok if you told us how to do this? *many thanks*
Sure.
Within the image of your USB drive (not a thumb drive, but an actual USB-connected external drive), locate your volume serial number. Then go to the MountedDevices key in the Registry of the host system you're analyzing, and locate the \\?\Volume{GUID} value that contains that volume serial number in the first DWORD of the data.
You may get lucky and also find a DosDevices value that also contains the serial number in its data, as well.
Does that help?
h
hmm I'm using an dd image of the usb storage device and looking at it through prodiscover. generating a report gives me the VSN. The device is a Sony unit and checking the usbstor listing it is the only Sony usb installed. When cross checking with setupapi it also checks out as to be the right device installed on given dates.
So I have the ParentIdPrefix of the device and the Unique Instance Identifier.
When i go to the "\\?\Volume{GUID} " in mounted devices, I can only reference it to one of the entries. However, it has no actual drive letter as I believe the user put another USB storage device on the same USB port straight after using the sony device.
The problem is with the "\\?\Volume{GUID} " there is no reference to the VSN I gained through examining the image in Prodiscover.
helps!
Dan,
However, you might try matching up the volume serial number from the image of the USB drive to Registry entries on the system.
HTH,
h
hey man
would it be ok if you told us how to do this? *many thanks*
Sure.
Within the image of your USB drive (not a thumb drive, but an actual USB-connected external drive), locate your volume serial number. Then go to the MountedDevices key in the Registry of the host system you're analyzing, and locate the \\?\Volume{GUID} value that contains that volume serial number in the first DWORD of the data.
You may get lucky and also find a DosDevices value that also contains the serial number in its data, as well.
Does that help?
h
hmm I'm using an dd image of the usb storage device and looking at it through prodiscover. generating a report gives me the VSN. The device is a Sony unit and checking the usbstor listing it is the only Sony usb installed. When cross checking with setupapi it also checks out as to be the right device installed on given dates.
So I have the ParentIdPrefix of the device and the Unique Instance Identifier.
When i go to the "\\?\Volume{GUID} " in mounted devices, I can only reference it to one of the entries. However, it has no actual drive letter as I believe the user put another USB storage device on the same USB port straight after using the sony device.
The problem is with the "\\?\Volume{GUID} " there is no reference to the VSN I gained through examining the image in Prodiscover.
helps!
look in the registry
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
otherwise the program usbdeview (http//
Hope it helped
Chris