USB Device Identifiers and Forensic Insights: iSerialNumber, SCSI Serial Numbers, UASP Devices, and Cleanup in Windows
- Feb 27
- 4 min read
USB devices often come with a unique identifier called the iSerialNumber.
Why the iSerialNumber Matters?
The iSerialNumber is a hardware-based unique identifier. If you plug the same USB device into multiple computers, each system should log the same iSerialNumber. This makes it incredibly useful for tracking where a device has been used—whether for forensic investigations or enterprise-level monitoring.
Exceptions and Windows-Generated Identifiers
Unfortunately, not all USB devices report an iSerialNumber. If the device lacks this value, Windows generates an identifier for it. You can easily recognize these by looking at the second character—Windows-generated IDs will have an ampersand (&).
For profiling on a single system, it doesn’t matter whether the identifier is hardware-based or Windows-generated, as both will uniquely identify the device on that system. However, tracking the same device across multiple systems can be problematic if it lacks a unique iSerialNumber since Windows will assign a different identifier on each system.
--------------------------------------------------------------------------------------------------------
Challenges with Poorly Designed Devices
Low-quality USB devices or adapters can cause confusion. They might report inconsistent identifiers, even on the same system. This can make a single device appear as multiple devices. When this happens, you’ll need to rely on other identifiers like Vendor ID (VID), Product ID (PID), volume names, or the Volume Serial Number to clarify things.
Extracting the iSerialNumber
If you need to retrieve the iSerialNumber from a physical device.
Using Hardware Tools
A USB write blocker or similar device is the safest way to extract the iSerialNumber.
Using Software Tools
You can also use tools like Microsoft’s USBView (part of the Windows Software Development Kit).
Physical Inspection
Sometimes, USB devices have identifying information engraved on their casing. However, be cautious—this number doesn’t always match the actual iSerialNumber stored in the hardware.
-------------------------------------------------------------------------------------------------------------
The SCSI Serial Number: An Alternate Identifier
In addition to the iSerialNumber, USB devices often have another serial number called the SCSI
Serial Number. Here’s how the two differ:
The iSerialNumber is used by the USB subsystem and is typically stored in the device descriptor.
The SCSI Serial Number comes from the device’s storage subsystem.
These numbers may not match, and forensic tools can sometimes show one but not the other. This can create challenges when trying to correlate data between system logs and the Windows Registry.
How to Identify Both Serial Numbers
Starting with Windows 10, Microsoft’s Partition/Diagnostic Event Log provides detailed information about connected devices, including both the iSerialNumber and the SCSI Serial Number. Here’s how you can access them:
Run this PowerShell command with a USB device plugged in:
Get-WmiObject win32_diskdrive | select-object model, serialnumber, pnpdeviceid, deviceid
Open the Microsoft-Windows-Partition/Diagnostic.evtx log. You’ll find:
The iSerialNumber (under the "ParentId" field)
The SCSI Serial Number (under "SerialNumber")
You can also cross-reference these with other details like the VID, PID, a
and device capacity to distinguish devices.
-------------------------------------------------------------------------------------------------------------
When dealing with USB devices, it's essential to recognize the difference between standard USB devices and USB Attached SCSI (UASP) devices.
UASP devices store information under
SYSTEM\<CurrentControlSet>\Enum\SCSI key, which requires some unique steps to extract useful forensic data.
Profiling UASP Devices: Step-by-Step
Identify the Device
Look for your device under
SYSTEM\<CurrentControlSet>\Enum\USB. If the Service value references UASPStor and the DeviceDesc mentions UASP, you’ve found a UASP device.
Note the ParentIdPrefix value; it’s a key link to finding related data in the SCSI registry key.
Correlate Data in the SCSI Key
Use the ParentIdPrefix value to find the matching entry under
SYSTEM\<CurrentControlSet>\Enum\SCSI. This key will reveal manufacturer details, product information, and additional timestamps for the device. Pay special attention to the DiskID and iSerialNumber.
Note: Windows prepends to iSerialNumbers for UASP devices.
Use Tools for Simplified Analysis
Tools like Registry Explorer offer plugins to simplify analysis of the SCSI key, providing extracted information in a table format for easier documentation.
-------------------------------------------------------------------------------------------------------------
Handling Windows USB Cleanup Activities
Recent versions of Windows have implemented cleanup mechanisms that can impact USB-related forensic evidence. Here’s what you need to know:
Scheduled Cleanup Tasks
Early versions of Windows 10 (and Windows 8) used the Plug and Play Cleanup task to remove USB-related data for devices not detected in the last 30 days.
Later versions of Windows 10 removed this specific task but introduced similar cleanup during major updates.
This cleanup means USB artifacts may only persist until the next major Windows update, especially in keys like USBSTOR, USB, SCSI, and even the critical Microsoft-Windows-Partition/Diagnostic log.
Keys and Logs That Survive Cleanup
Some artifacts remain even after cleanup routines, providing critical data for forensic profiling:
MountedDevices: Tracks drive letters and volume information.
Windows Portable Devices: Identifies devices used on the system.
MountPoints2: Logs drive mount points for user-specific activity.
setupapi.dev.log: Records device installation and removal events (though only for a limited time).
Volume Shadow Copies: Stores older versions of registry keys and logs, often allowing recovery of deleted artifacts.
-------------------------------------------------------------------------------------------------------------
Recovering Data from Cleanup with DeviceMigration Keys
Windows archives device data during cleanup or updates in the DeviceMigration keys. These keys allow forensic analysts to go back in time and recover information about devices previously connected to the system.
Key locations include:
SYSTEM\<CurrentControlSet>\Control\DeviceMigration
SYSTEM\Setup\Upgrade\PnP\CurrentControlSet\Control\DeviceMigrationWhat Can You Extract?
While not all original data is retained, these keys store:
Manufacturer and Product Information
VID/PID
iSerialNumber
ParentIdPrefix
DiskID
LastPresentDate: A 64-bit timestamp showing when the device was last connected.
-------------------------------------------------------------------------------------------------------------
Best Practices for Forensic USB Analysis
Correlate Data Sources
Use DeviceMigration keys to cross-reference older device data with other longer-lasting keys like MountedDevices or MountPoints2. This helps identify details like drive letters, volume names, and user-specific usage.
Utilize Archived Data
Windows.old Folder: Created during major updates, it contains older versions of registry hives and logs that may still hold critical USB-related data.
Volume Shadow Copies: If enabled, these snapshots allow you to recover older file system and registry data.
Leverage Forensic Logs
Logs like setupapi.dev.log and event logs (other than Microsoft-Windows-Partition/Diagnostic) remain useful even after cleanup, though their retention period is often limited.
-------------------------------------------------------------------------------------------------------------
Conclusion:
By understanding UASP device profiling, cleanup mechanisms, and how to recover deleted artifacts, forensic analysts can still extract valuable information even in challenging scenarios.
-------------------------------------------------------Dean--------------------------------
Comentarios