USB Forensics Pt. 1 Serial Number

Forensicating USB devices can be a arduous task, as such I am going to break it down into byte (get it) size chunks.

In order to get the Serial number from a USB device we must start our investigation on the System Hive. Navigate to the following Key

SYSTEM\CurrentControlSet\Enum\USBSTOR

This key will display all of the USB devices plugged into the machine regardless of user. The serial number will be a sub-key of the Device Class ID

USBStor_Tree

Here you can see two USB Devices have been installed on this machine, a Seagate FreeAgent device and a Generic device (Generic device is not that uncommon, the Serial number will help you to track the USB device through the artefacts).

Both of these devices have a unique serial from their respective manufacturers. This can be seen by the &0 or &1 at the end of the serial number. If instead the second character is an & then the device does not have a unique serial number and Windows has issued one which is unique to the local system only.

This entry was posted in USB Forensics, Windows Forensics, Windows Registry Forensics and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s