🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Key Identification
  • Overview
  • Analyzing The Artifact
  • Tools for Analysis
  • Practical Use Case

Was this helpful?

  1. Windows Artifacts
  2. USB Usage

Drive Letter and Volume Name

This information can be used to trace file access, transfer activities, and to identify specific devices used during a session. The methods to discover this information vary across different versions of Windows.

Key Identification

Artifact Locations

  • XP

    • USBSTOR for ParentIdPrefix: SYSTEM\CurrentControlSet\Enum\USBSTOR

    • MountedDevices for Last Mount Point: SYSTEM\MountedDevices

  • Windows 7 and Above

    • Windows Portable Devices: SOFTWARE\Microsoft\Windows Portable Devices\Devices

    • MountedDevices for Drive Letters: SYSTEM\MountedDevices

    • VolumeInfoCache for Last USB Drive Letter: SOFTWARE\Microsoft\Windows Search\VolumeInfoCache

Critical Information

  • The ParentIdPrefix found under USBSTOR is essential for identifying the device in MountedDevices.

  • In Windows XP, the ParentIdPrefix is used to find the last mount point via SYSTEM\MountedDevices.

  • For Windows 7 and newer versions, additional locations such as Windows Portable Devices and VolumeInfoCache offer insights into device connections.

  • MountedDevices contains mappings for drive letters to volume names, useful for identifying the last known drive letter assigned to a USB device.

  • The VolumeInfoCache key may only reveal the last USB device mapped to a specific drive letter, without historical records.

Overview

Drive Letter and Volume Name Association

The association between USB devices and their drive letters or volume names involves examining specific Registry keys that record these mappings. This process can help in identifying where a USB device was recognized in the system's file structure during its last connection.

Windows XP

In Windows XP, the process involves two steps:

  1. Identify the ParentIdPrefix: Locate the device's ParentIdPrefix in SYSTEM\CurrentControlSet\Enum\USBSTOR.

  2. Discover the Last Mount Point: Use the ParentIdPrefix to search in SYSTEM\MountedDevices for corresponding entries that indicate the last drive letter and volume name used by the device.

Windows 7 and Newer

For Windows 7 and newer versions, the analysis includes additional Registry keys:

  • Windows Portable Devices: This key offers information on portable devices, including USB drives, connected to the system.

  • MountedDevices: Similar to XP, this key provides mappings for drive letters to volume names. Analysts look for a serial number match within the value data to identify the drive letter used by a USB device.

  • VolumeInfoCache: Offers details on the volume information of the last USB device mapped to a specific drive letter. Unlike MountedDevices, this key does not provide historical mapping records.

Analyzing The Artifact

  1. For Windows XP:

    • Retrieve the ParentIdPrefix from USBSTOR.

    • Search SYSTEM\MountedDevices using the ParentIdPrefix to find the device's last mount point.

  2. For Windows 7+:

    • Inspect SOFTWARE\Microsoft\Windows Portable Devices\Devices for device entries.

    • Review SYSTEM\MountedDevices for drive letter mappings, looking for serial number matches.

    • Check SOFTWARE\Microsoft\Windows Search\VolumeInfoCache for the last drive letter associated with a USB device.

Tools for Analysis

  • RegRipper: Can automate the extraction of drive letter associations from the Registry.

  • Windows Registry Editor (regedit): Manually navigate the Registry to find the relevant keys and values.

  • Forensic Tools: Tools like FTK or EnCase can search the Registry within a forensic image to find these artifacts.

Practical Use Case

In an investigation involving unauthorized data transfer, identifying the drive letter and volume name associated with a USB device can help track the movement of files to and from the device. By correlating this information with file access logs and timestamps, forensic analysts can construct a timeline of events, potentially identifying malicious activity or policy violations.

This detailed approach to analyzing USB drive letter and volume name mappings in Windows systems provides forensic analysts with the capability to trace device connections and interactions, aiding in the reconstruction of digital events.

PreviousKey IdentificationNextConnection Timestamps

Last updated 1 year ago

Was this helpful?