1.Drive Letter and Volume Name
USB devices play a significant role in forensic investigations, and understanding the drive letter and volume name associated with a USB device can provide valuable insights into user activity and data access.
Location: XP
Command
• Find ParentldPrefix.
Reg Query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
• Use ParentldPrefix Discover Last Mount Point.
reg query HKLM\SYSTEM\MountedDevices
Location: Win7-10
Command
reg query "HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices"
reg query HKLM\SYSTEM\MountedDevices
You can save this artifact using reg save by providing path of registry and providing destination.
Interpretation:
• Identify the USB device that was last mapped to a specific drive letter.
-------------------------------------------------------------------------------------------------------------
2.Volume Serial Number
USB devices are commonly used for data storage and transfer, making them important artifacts in forensic investigations. Understanding the Volume Serial Number of the filesystem partition on a USB device can provide valuable information about its usage and history.
Location:
Registry Key (Non-SSD System Drive):
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt (This key is present only if the system drive is not SSD)
Query through CMD:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt"
Interpretation:
1. Identify Registry Key:
Locate the EMDMgmt registry key under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ to access information about the filesystem partition. 2. Volume Serial Number:
Use the Volume Name and USB Unique Serial Number to find the Volume Serial Number.
The Volume Serial Number is typically the last integer number in the line of information retrieved from the registry key. 3. Convert Decimal to Hex Serial Number:
Once the Volume Serial Number is identified in decimal format, it can be converted to hexadecimal format for further analysis if needed.
-------------------------------------------------------------------------------------------------------------
3.Shortcut (LNK) Files
Get deep details about this artifact from my previous blog.
Blog 1: Unveiling the Significance of LNK Files in Digital Forensics
Blog 2 :Lnk files Analysis: Tool-->LECmd.exe
-------------------------------------------------------------------------------------------------------------
4.P&P Event Log
The Plug and Play (P&P) Event Log is a crucial source of information for forensic investigators, providing insights into driver installations and device connections on a Windows system.
Location:
System Log File (Windows 7-10):
%systemroot%\System32\winevt\logs\System.evtx
Event ID:
20001: Plug and Play driver install attempted
Interpretation:
Event Identification:
The P&P Event Log records events triggered when a Plug and Play driver installation is attempted on the system.
Each event is assigned a unique identifier, with Event ID 20001 specifically indicating a Plug and Play driver install attempt. Timestamp:
The timestamp of the event provides information about when the driver installation attempt occurred. This timestamp is crucial for establishing timelines and sequences of events during forensic analysis. Device Information:
The event log entry typically includes details about the device involved in the driver installation attempt. This information may include device type, manufacturer, model, and hardware identifiers. Device Serial Number:
For USB and other Plug and Play-capable devices, the event log may contain the serial number or unique identifier of the device involved in the driver installation attempt. This can help investigators identify specific devices connected to the system. Status:
The status code provided within the event entry indicates the outcome of the driver installation attempt.
A status code of "0" typically indicates that the installation was successful without errors. Any other status code may indicate errors or issues encountered during the installation process.
-------------------------------------------------------------------------------------------------------------
Comments