3/20/2021 0 Comments Volume Serial Number Usb
Public Function GetDriveSerialNumber(drive As String) As String.Matt Graeber pointed out some of the data this log contains in October of 2017 and Harlan followed up shortly thereafter, but there doesnt appear to be a great deal of information available outside of that, particularly with regard to how this event log can be leveraged in USB device investigations.When viewed in the Windows event viewer, the default General view of these records is not exactly helpful, but the Details view includes many useful bits of information about the connected device.Unfortunately, this event log appears to be cleared when a major Windows update (such as the Fall Creators Update) occurs so you will likely not have records in the current log dating back prior to the most recent major update.
However, the records that are present can provide you with a substantial amount of information about a particular device including device identifiers, connection times, disconnection times, the device volume boot record (VBR), device master boot record (MBR), and more. This field contains a hexadecimal string of the entire VBR of the device. This is significant in USB device investigations because the VBR contains, among many other things, the volume serial number. Additionally, if the USB device has a FAT-formatted file system, the volume name is available from the VBR. The EMDMgmt subkey of the SOFTWARE registry hive may contain the volume serial number of connected devices, however, this subkey is not populated in some instances including when Windows detects that its installed on a solid state drive. Given the proliferation of SSDs, the overall usefulness of the EMDMgmt subkey is declining. The good news is that despite a devices VSN becoming less available from the EMDMgmt subkey, the VSN may still be available from the PartitionDiagnostic event log. Another option would be to use a USB device forensics tool that handles all of the extraction, parsing, and correlation of all of this information for you (such as USB Detective ). In addition to the device volume boot record, there are other pieces of useful information that can harvested from the PartitionDiagnostic event log. I plan to cover some of the other parts in follow-up posts stay tuned for a breakdown of those bits. Any material on this blog, especially related to technology andor forensic methodology should not be assumed to be true in all possible scenarios. As always, test any theories, ideas, or tools from this blog in your own environment before stating them or the results therefrom as factual.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |