Hey, i look in HKLM\System\CurrentControlSet\Enum\USBStor for the serial key to a thumb drive, and wondered what actually is the Unique key / serial.. is it the ClassGUID?
Thanks
Mike
Check out "Windows Forensic Analysis"…answered the question there…
If they are maxtor USB drives, the serial is in the name.
is it the ClassGUID?
NO.
USB sticks (or to be more accurate controllers inside USB sticks) can be given a serial.
That is NOT the "disk signature", and NOT the Volume serial.
It is the serial of the (controller of) the device.
Checking the stick with a tool like Chipgenius you will get data like this
PnP Device ID VID = 0EA0 PID = 2168
Serial Number 130B5F43D7479CD7
Revision 2.00Device Type Standard USB device - USB2.0 High-Speed
Product Vendor OTi
Product Model Flash Disk
You will find the serial here
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_0ea0&Pid_2168
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\Vid_0ea0&Pid_2168\130B5F43D7479CD7
and in USBSTOR suffixed by a &0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_OTi&Prod_Flash_Disk&Rev_2.00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_OTi&Prod_Flash_Disk&Rev_2.00\130B5F43D7479CD7&0
The class GUID will be
{4D36E967-E325-11CE-BFC1-08002BE10318}
i.e. "DiskDrive"/"Gendisk"
that is found among Classes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}
The "Driver" entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_OTi&Prod_Flash_Disk&Rev_2.00\130B5F43D7479CD7&0
will tell you the driver instance used in Classes.
The Serial can also be found in (when mounted)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbstor\Enum]
"0"="USB\\Vid_059f&Pid_0951\\0AD817256FFF"
"Count"=dword00000003
"NextInstance"=dword00000003
"1"="USB\\Vid_058f&Pid_6362\\058F312D81B"
"2"="USB\\Vid_0ea0&Pid_2168\\130B5F43D7479CD7"
jaclaz
Have you tried using USB deview from
very good finds all this for you, it will also tell you the last device that a drive letter was associated with too in places
Hope this is of help
The tool is at nirsoft.net, not .com.
Also, from the web page
"Created Date Specifies the date/time that the device was installed. In most cases, this date/time value represents the time that you first plugged the device to the USB port. However, be aware that in some circumstances this value may be wrong."
RegRipper has plugins to address this issue.
Hi guys, thanks for your help the, "Windows forensic analysis" paper helped and will be looking at nirsoft.net.
Thanks guys this piece of information is really helpful, I have tried the tool from nirsoft.net and it is really easy to use.
Under Linux you can see it with
lsusb -v
Please note what the software tools exist to change serial on many of the flash controller chips. Probably makes them inadmissible in court?
Please note what the software tools exist to change serial on many of the flash controller chips. Probably makes them inadmissible in court?
There are as well (much less "common") tools for hard disk controllers, what gives? unsure
jaclaz