![]() ![]() The time that the device was last connected to the system can be found from the USB entry within the \CurrentControlSet\Enum\ path of the same SYSTEM file.īy reviewing the MountPoints2 located within the NTUSER.DAT hive file for a specific user at \Software\Microsoft\Windows\CurrentVersion\Explorer\ it is possible to identify when the device (from the GUID) had been last connected and which user profile had been active on the computer at that time. It is possible to identify the first time that the device was connected to the system by reviewing the USBSTOR entry at \CurrentControlSet\Enum\ within the SYSTEM file at \Windows\System32\Config\ as well as the at the path \Windows\inf\ directory. The manufacturer and Product ID of the device is available within the \CurrentControlSet\Enum\USB within the System file at the path \Windows\System32\Config\. The Volume GUID is a unique identifier attributed by Windows for each USB device and that attribute is available within the MountedDevices entry of the System file at \Windows\System32\Config\. In order to identify the volume name of the device, review the entry named Devices within the path \Microsoft\Windows\Portable Devices\ within the SOFTWARE system file located at the path \Windows\System32\Config\. ![]() To identify the device serial number review the path \CurrentControlSet\Enum\USBSTOR that is within the SYSTEM file located within the directory path \Windows\System32\Config\ and the EMDMgmt entry at \Microsoft\WindowsNT\CurrentVersion\ within the SOFTWARE system file located within the same directory. When conducting an examination of a Windows based computer, the main locations that may contain evidence to indicate the devices connected to the system are as follows: The device serial number can be viewed by using ‘right-click’ ‘properties’ and ‘details’ within Windows Explorer on the device whilst it is connected, alternatively it is possible to use software such as USBDeview. The device serial number is embedded within the firmware of the device and is only visible from an examination of the device itself, whereas the volume serial number is accessible from a physical forensic image and relates to the time and date of the FAT or NTFS system used to format it. The Difference Between The Device and Volume Serial Numbers on a USB DeviceĪ USB device normally contains 2 unique serial number identifiers, a device serial number and a volume serial number. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2023
Categories |