top of page
Jun 62 min read

USB Key Analysis: USBSTOR and USB


USBSTOR Registry Key

Where to Find USB Key Info:


  • Registry Key: SYSTEM\CurrentControlSet\Enum\USBSTOR

Disk&Ven :- Referred as Device class ID:

57583.. :- Referred as Unique device Serial


What's in a Serial Number?

According to Microsoft's USB FAQ, every USB device that wants to play nice with Windows needs a unique Serial Number. This number is like a fingerprint for the device—it helps Windows remember it and speed up future plug-ins.



Why Serial Numbers Matter:

  • Quick Recognition: Windows uses the Serial Number to recognize if the device has been plugged in before, making it quicker to connect next time.

  • Plug and Play: If the device has been recognized before, Windows won't waste time reinstalling drivers.

Watch Out for Clones!

Not all USB devices are created equal. If a Serial Number has an "&" in the second character (like 4&762219b0&0), it's a red flag. This means the device doesn't have a unique Serial Number and might not meet Microsoft's standards.


Handy Tips for Analysis:

  1. Search Smart: Use the "Find" option in Registry Explorer to search for keys with specific Serial Numbers across all loaded registry hives.

  2. Look Everywhere: Search in key names, value names, or value data to identify all relevant keys.

  3. Act Fast: Remember, this info might not stick around forever. On modern Windows 10 systems, the USBSTOR keys could be cleared after 30 days.


USB Registry Key:

The key under SYSTEM\CurrentControlSet\Enum\USB

not only stores the Serial Number (YID) and Product ID (PID) but also contains details about the device type.


The Serial Number Quirk

Here's the catch: Only MSC devices are required by Microsoft to have a unique Serial Number. So, for MTP and PTP devices, you might encounter more generic or even identical Serial Numbers.


What Else Can You Find?

This key is like a treasure trove for forensic investigators. Apart from storage devices, you can spot other gadgets like phones, tablets, and printers that were connected to the system—even if Windows didn't recognize them as mass storage devices.


Keep an Eye on the Clock

Remember, the data in these keys gets wiped out by the Plug and Play Cleanup task. On Windows 10, you might have only a 30-day window to access this information.


Decode YID and PID

If you stumble upon an unknown VID or PID, there's a handy website to help you out:

Just plug in the numbers, and it'll reveal the manufacturer and product details.


How to Proceed?

  1. Identify Device Type: Look for keys related to MSC, MTP, or PTP to determine the device class.

  2. Decode YID and PID: Visit the USB ID database to find out the manufacturer and product details.

  3. Record Everything: Note down all relevant keys, Serial Numbers, and other details for your forensic report.


By taking these extra steps, you can elevate your USB key analysis game, making it easier to identify and trace any device that's been connected to a system. Happy investigating! 🕵️‍♂️🔗


Akash Patel



29 views0 comments

Comments

bottom of page