Windows 10 and USB Registry Records

Has anyone come across USB devices that do not propagate under the known registry keys in Windows 10? I have a couple of cases lately in which we can see LNK files and History records that point to a specific USB drive. Suspect has admitted use of the USB drive, and USB drive is recovered. But in Windows 10, is not considered "removable media"? Further analysis using USBDview on a live replicant of the target system reveals the devices identifying as USB Attached SCSI (UAS) Mass Storage Device, and present with serial numbers like "MSFT3000000000000000000000".

That is I believe not Windows 10 specific, it's the (relatively new, introduced with Windows 8) UAS protocol (or UASP)
https://en.wikipedia.org/wiki/USB_Attached_SCSI
https://msdn.microsoft.com/en-us/library/windows/hardware/dn642113(v=vs.85).aspx

Traditional USB Mass Storage used/use the USBSTOR.SYS driver, UAS/UASP ones use the UASPSTOR.SYS, see also
https://msdn.microsoft.com/en-us/library/windows/hardware/ff538820(v=vs.85).aspx

A "normal" USB device can be either "Removable" or "Fixed" traditionally USB sticks were set as "Removable" (and hard disk/hard disk cases as "Fixed") but newer (fastish) USB 3.0 stick are often set as "Fixed" as basically they are a USB to SATA bridge + SSD, maybe that is your case. ?

jaclaz

I agree, it seems to be specific to USB to SATA bridge. Testing so far has revealed SSD or spinner same results. Also finding it with fully branded devices (Lacie, WD, Seagate) on USB 2 and USB 3.

So far, I'm only finding references to these devices as the bridge name, not the device name, and they're appearing under
HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port (x)\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Where the device is mounted under "Scsi Port (x)" and when a "Logical Unit Id" is present in the key, the device is connected (i.e. no historical record).

The only identifier that I can find in Windows 10, relates to the bridge, and not the underlying media. In fact, Encase and FTK Imager under 10, both identfiy the underlying device as the bridge name (in my testing case, an ASMT 2105 SCSI Device). Regardless of what media is in the bridge, the identifier doesn't change!

So there has to be some other registry entry or artifact that is gathering some kind of information about the media and not the bridge. (I hope)

Has anyone come across USB devices that do not propagate under the known registry keys in Windows 10? I have a couple of cases lately in which we can see LNK files and History records that point to a specific USB drive. Suspect has admitted use of the USB drive, and USB drive is recovered. But in Windows 10, is not considered "removable media"? Further analysis using USBDview on a live replicant of the target system reveals the devices identifying as USB Attached SCSI (UAS) Mass Storage Device, and present with serial numbers like "MSFT3000000000000000000000".

That is I believe not Windows 10 specific, it's the (relatively new, introduced with Windows 8) UAS protocol (or UASP)
https://en.wikipedia.org/wiki/USB_Attached_SCSI
https://msdn.microsoft.com/en-us/library/windows/hardware/dn642113(v=vs.85).aspx

Traditional USB Mass Storage used/use the USBSTOR.SYS driver, UAS/UASP ones use the UASPSTOR.SYS, see also
https://msdn.microsoft.com/en-us/library/windows/hardware/ff538820(v=vs.85).aspx

A "normal" USB device can be either "Removable" or "Fixed" traditionally USB sticks were set as "Removable" (and hard disk/hard disk cases as "Fixed") but newer (fastish) USB 3.0 stick are often set as "Fixed" as basically they are a USB to SATA bridge + SSD, maybe that is your case. ?

jaclaz