hmm I'm using an dd image of the usb storage device and looking at it through prodiscover. generating a report gives me the VSN.
"Generating a report", how? What are you using to generate this report?
The device is a Sony unit and checking the usbstor listing it is the only Sony usb installed. When cross checking with setupapi it also checks out as to be the right device installed on given dates.
So I have the ParentIdPrefix of the device and the Unique Instance Identifier.
When i go to the "\\?\Volume{GUID} " in mounted devices, I can only reference it to one of the entries. However, it has no actual drive letter as I believe the user put another USB storage device on the same USB port straight after using the sony device.
The problem is with the "\\?\Volume{GUID} " there is no reference to the VSN I gained through examining the image in Prodiscover.
What else do you know about this "Sony unit"?
USB devices and the MountedDevices key are discussed on pages 155-163 of Windows Forensic Analysis, first edition. Pg 163 contains discussion that ext HDD's do not appear to have ParentIdPrefix values beneath their USBStor key entry. As you've stated that yours does, it would appear that what you're looking at is the entry for a thumb drive, not an external hard drive. As such, you will not have a "VSN" or volume serial number (aka, drive signature).
Could you elaborate on how you gained this VSN via ProDiscover?
Thanks,
h
hmm I'm using an dd image of the usb storage device and looking at it through prodiscover. generating a report gives me the VSN.
"Generating a report", how? What are you using to generate this report?
The device is a Sony unit and checking the usbstor listing it is the only Sony usb installed. When cross checking with setupapi it also checks out as to be the right device installed on given dates.
So I have the ParentIdPrefix of the device and the Unique Instance Identifier.
When i go to the "\\?\Volume{GUID} " in mounted devices, I can only reference it to one of the entries. However, it has no actual drive letter as I believe the user put another USB storage device on the same USB port straight after using the sony device.
The problem is with the "\\?\Volume{GUID} " there is no reference to the VSN I gained through examining the image in Prodiscover.
What else do you know about this "Sony unit"?
USB devices and the MountedDevices key are discussed on pages 155-163 of Windows Forensic Analysis, first edition. Pg 163 contains discussion that ext HDD's do not appear to have ParentIdPrefix values beneath their USBStor key entry. As you've stated that yours does, it would appear that what you're looking at is the entry for a thumb drive, not an external hard drive. As such, you will not have a "VSN" or volume serial number (aka, drive signature).
Could you elaborate on how you gained this VSN via ProDiscover?
Thanks,
h
hmmm maybe i've done this all wrong.
this is a copy/paste from prodiscover
Image Files
File Name C\Documents and Settings\Administrator\Desktop\Crime Scene USB DD\Crime Scene USB DD.dd
Image File Type DD Image
Time Zone Information
Time Zone (GMT-0600) Central America (Central America Standard Time)
Daylight savings (summertime) was in effect Yes
Time Zone information obtained from preferences settings.
Total Drive Information
Hard disk make
Total Sectors 2062846
Total Size 1031423 KB
Hard Disk C
Volume Name NO NAME
Volume Serial Number EAFD-27D5
File System FAT16
Bytes Per Sector 512
Total Clusters 64444
Sectors per cluster 32
Total Sectors 2062782
Hidden Sectors 32
Total Capacity 1031391 KB
Start Sector 32
End Sector 2062813
Disks
Evidence of Interest
Clusters of Interest
File Signature Mismatch
Search Results
Project Notes
This Report was created by ProDiscover
Dan,
I'm sorry, my friend, but this really doesn't do a lot to answer the questions I asked.
If you still need help, please feel free to reach out.
Thanks
Here is a tool you might want to try
http//
jaclaz
If USBHistory is a tool to provide what you need, I'd strongly suggest that you also look at RegRipper.
If USBHistory is a tool to provide what you need, I'd strongly suggest that you also look at RegRipper.
You talkin' to me?
http//
lol
jaclaz
No, since I hadn't directed it at you specifically, I was commenting to anyone reading the thread.
RegRipper does much more than simply provide the USB removable device information from the Registry…it also allows a trained analyst to determine when someone has used information from the Internet to "clean up" behind themselves; the use of removable storage devices leaves several artifacts on a system, and most folks focus only on one or two. In fact, just this past week on the EnCase User Forums, an analyst posted thinking that the USBStor and USB keys were where the information was maintained…
RegRipper does much more than simply provide the USB removable device information from the Registry…
Sure ) , just kidding. wink
jaclaz