Found it. It was listed under EMDMgmt in the SOFTWARE Hive. Great call. Its not ID'd as a USB device. And there is a second listing for another ION drive in there with a different Last Written date. There is a Seagate FreeAgent drive in there also, also not ID'd as USB - and I know the ones I own are USB/eSata combos.
As for the Iogear devices, one is ID'd as ION 1 and the other as ION 2. Two different dates, as I said - but just days apart - both of which are within weeks of her department. How can I determine what these things are? I suspect I need to go back to SYSTEM and search for hard drives.
Okay, so this is how these Iogear ION drives are listed - along with what I assume is a serial number or some other unique identifier
IJG___ION 1_3423673288 Last Written 1/26/2011
IJETH_ION 2_136092132 Last Written 1/18/2011
These dates are within weeks of her departure.
Neither drive is ID'd as a USB device like the other devices listed in EMDMgt but this is the ReadyBoost Key for USB - so these things must be USB and not some other bus type - such as eSATA, correct?
I see other devices listed here that are also listed under USBSTOR, one of which is a Seagate FreeAgent drive. Now, I have several of these devices my self and they are dual bus drives - USB and eSATA. Would that explain why the ION drives are listed here as potential ReadyBoost devices under USB but not actually listed in USB - because she never attached them as USB?
disregard..
Neither drive is ID'd as a USB device like the other devices listed in EMDMgt but this is the ReadyBoost Key for USB - so these things must be USB and not some other bus type - such as eSATA, correct?
I'm not sure I understand your assumption here…to my knowledge, there is no such thing as "ReadyBoost key for USB". ReadyBoost runs on external devices that can be reached through a number of means, not just USB.
I see other devices listed here that are also listed under USBSTOR, one of which is a Seagate FreeAgent drive. Now, I have several of these devices my self and they are dual bus drives - USB and eSATA. Would that explain why the ION drives are listed here as potential ReadyBoost devices under USB but not actually listed in USB - because she never attached them as USB?
Again, I don't follow…what is "ReadyBoost devices under USB"?
Based on the format that you see for the devices, the final numbers _may be a serial number_…have you checked the DeviceClasses subkey for Disk devices for that number?
The key values in the EMDMgmt node which are alphabetically listed towards the end of the tree include the friendly name of the device and it's Volume Serial Number. Simply convert the decimal characters to Hex.
ASH,
For the USB devices I've connected to my Windows 7 systems, the serial number is the _device_ serial number, not the volume S/N.
Harlan,
The node below has been taken from my Windows Seven registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\NK_~__Archive 750_1892339175
The value at the end 1892339175 when converted to Hex is70CA-CDE7 which is the Volume Serial Number for my drive named Archive 750.
Ash,
I completely understand…I have the same thing for USB HDD enclosures.
However, I wanted to bring to the reader's attention that not ALL entries in the EMDMgmt key have the same format. As with USB device analysis in general, there are differences between USB thumb drives and HDD enclosures.
Ash,
I completely understand…I have the same thing for USB HDD enclosures.
However, I wanted to bring to the reader's attention that not ALL entries in the EMDMgmt key have the same format. As with USB device analysis in general, there are differences between USB thumb drives and HDD enclosures.
Yes, the difference is if the device (or actually the USB controller inside the device ) is set to "Fixed" or to "Removable".
USB HDD controllers come 100% "fixed" from factory
USB Sticks come normally (like 99.99%) Removable from factory (but this setting can usually be "flipped" with the controller manufacturer tool)
jaclaz
Folks, I have a case in which an employee copied intellectual property of her employer to a USB hard drive (Iogear ION) just before leaving that company to join a competitor. I can see the device listed by name in link files and jump lists. But its not listed by name ("ION 1") in the Registry nor in the SetupAPI.dev.logs. Furthermore, no other external USB storage devices are listed by hard drive manufacturer for the period this person used the computer exclusively. Her mobile phones are listed as is an iPod. But nothing more. Other devices that had been attached to the machine before she took it are listed also.
I am suspecting that some sort of anti-forensic program was used. Am I going in wrong direction? Is the Register and SetupAPI file not reliable?
Any help or suggestions would be appreciated.
What was the iPOD config /Mobile storage?
8Gb or 16GB
he could have copied the data using the ipod or mobile>
just my 2 cents.