Volume Name
When performing a forensic examination of connected devices, one of the key pieces of information we aim to gather is the volume name associated with the device. However, it’s important to note that not all device types maintain volume names, and these names are not always mandatory. In some cases, if a device does not have a volume name, Windows will record the last mounted drive letter instead.
Windows Portable Devices registry key
This key stores valuable information about each device connected to the system, including the Device ID and iSerialNumber for each device. If a device has a volume name, it will be recorded here under the FriendlyName value.
SOFTWARE\Microsoft\Windows Portable Devices\DevicesYou can also grab the Volume Name and GUID, which can be handy for future reference.
As i was doing analysis I recommend noting down iserial number as well diskid to match information in windows portable device
My Personal recommendation use registry explorer this tool do all work for you
---------------------------------------------------------------------------------------------------------
Different Device Classes
Different device classes (e.g., USBSTOR, MSC, MTP) store varying amounts of data in the registry. USBSTOR devices are typically the most complete, providing Device ID, iSerialNumber, and FriendlyName.
For other devices like smartphones using MTP, or UASP drives, less information might be available. If you encounter a device that’s missing critical information, dig into the raw sub-keys where you might find additional identifiers like VID (Vendor ID), PID (Product ID), or even DiskID for certain devices.
---------------------------------------------------------------------------------------------------------
Handling SD Cards
Interestingly, SD cards can also be tracked in this registry key, even though they are not USB devices. If an SD card is connected through an SD card reader, you might find its associated volume name under the Windows Portable Devices key as well. For instance, you could see a volume name like "SD_FILES" for the attached SD card, which could be valuable for profiling purposes.
---------------------------------------------------------------------------------------------------------
LNK Files to the Rescue
Even if the drive letter isn't directly mapped, don't lose hope! Many LNK files include the Volume Name, sometimes alongside the drive letter. With timestamp analysis and LNK file correlation, you can often deduce the potential drive letter.
---------------------------------------------------------------------------------------------------------
Conclusion
When profiling devices through the Windows registry, the volume name can be a critical piece of evidence, especially when tracking devices that are used for malicious purposes or when identifying artifacts left behind by terminated employees.
By focusing on the FriendlyName value under the Windows Portable Devices key, you can gather valuable information about the device, including its volume name, which can later be used to cross-reference other data and build a complete profile of the device’s activity on the system.
-------------------------------------------Dean-------------------------------------------
Comments