Windows 7-10: and Volume Name
In newer Windows versions (Win7-Win10), there's a nifty key that logs the Volume Name and GUID for each connected device:
SOFTWARE\Microsoft\Windows Portable Devices\Devices
You can also grab the Volume Name and GUID, which can be handy for future reference.
Another example Taking # ---# value for further analysis:
The Win7 Challenge
Windows 7 adds a twist. Not every device will have its last drive letter recorded in the Windows Portable Devices key. In such cases, you might need to cross-reference with the MountedDevices key using the device GUID to find the last mount point.
The Windows XP Dilemma
For those still dealing with Windows XP, the game changes a bit. The drive letter won't be in the Windows Portable Devices key, but you'll still find the Volume Name. This is where temporal analysis comes into play.
LNK Files to the Rescue
Even if the drive letter isn't directly mapped, don't lose hope! Many LNK files in the Recent folder on the Windows machine will include the Volume Name, sometimes alongside the drive letter. With timestamp analysis and LNK file correlation, you can often deduce the potential drive letter.
Time Isn't Always of the Essence
Interestingly, this Volume Name and drive letter data seems to stick around longer than the usual 30-day limit set for USB and USBSTOR registry keys. Plus, it dodges the Plug and Play Cleanup task, making it a more stable source of information.
Windows 10 Example
Here's how it looks on Windows 10:
Windows Portable Devices Key: You'll find the Volume Name here.
Drive Letter: Unfortunately, not listed directly. But armed with the Volume Name, you can often trace it back using Shell Item historical information.
Will continue with another blog to identify Drive letter...............
Akash Patel
Opmerkingen