Overview:
The process of tracking USB devices and identifying their last known drive letters involves extracting and interpreting specific information from the Windows registry. This process is vital for forensic investigations to trace device activities and understand drive mappings.
MSC Only:-
Steps to Find Last Drive Letter of a USB Device:
Retrieve Device Serial Number:
Retrieve the device Serial Number from the USBSTOR registry key, which was stored earlier.
Examine SYSTEM Hive and MountedDevices Key:
Open the SYSTEM hive from the Windows registry.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices.
Find Drive Letter Using Serial Number:
Search for the device Serial Number within the MountedDevices key.
The last device associated with a drive letter will have its Serial Number listed. This indicates the drive letter assigned to that specific device.
Importance of Volume GUID:
This GUID helps to identify the user who plugged in the device and provides a timestamp of when the device was last connected by that user.
Steps to Locate Volume GUID:
Search MountedDevices for Serial Number:
Look for the device's Serial Number within the data values of the various GUIDs in SYSTEM\MountedDevices.
Identify the Relevant GUID:
Once the Serial Number is located, determine the corresponding GUID and note it down.
Mapping GUID to User:
NTUSER.DAT Hive:
Use the noted GUID to search through the MountPoints2 key in the user's
NTUSER.DAT hive.
This key is located at NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2.
Mapping to User:
Each Volume GUID listed under MountPoints2 corresponds to a different local or removable drive connected to the system.
The Volume Serial Number from SYSTEM\MountedDevices should match one of the entries in MountPoints2, helping to identify the user associated with the device.
Additional Information in MountPoints2:
Network Shares:
MountPoints2 also contains details of network shares accessed by the user.
Forensic Significance:
In intrusion cases, unauthorized access to a remote share using net.exe can leave forensic artifacts in MountPoints2.
Conclusion:
" MountedDevices "It provides insights into the physical drives, partitions, drive letter mappings, and other crucial information related to connected USB devices.
The Volume GUID serves as a bridge between the USB device and the user who connected it. By matching the Volume GUID from SYSTEM\MountedDevices with the entries in MountPoints2 under the user's NTUSER.DAT, forensic investigators can accurately determine which user plugged in a specific USB device and when.
Akash Patel
Commenti