USB Forensics Pt. 2 Vendor ID (VID) & Product ID (PID)

In Part 1 we discussed how to find the Unique Serial Number ID for the USB devices historically connected to the device you are investigating. The next step is a simple one, finding the VID & PID (I say simple, it’s simple when you know where to look and what you are looking at).

Where to look:

SYSTEM\CurrentControlSet\Enum\USB

This is the key directly above the USBSTOR from the previous step. There will be more devices in this part of the tree as this deals with all USB devices, not just those which can hold data. In order to find the correct device there is a little manual searching required, go through each key and expand it until you find the Serial Number matching the one in your notes. You can use CTRL+F to find this a little quicker, but it depends on how many keys are in the USB tree.

USB_Key_Tree_VID_PID

On the Key highlighted you can see the sub key identifies this by the Serial Number ID we discovered in the previous post. The VID and PID are preceded by “VID_” and “PID_” so our details are

  • VID – 0bc2
  • PID – 2101

As the investigation continues it is worth not only noting the details of what you found, but exactly where it was found, the time stamp for the last write time and any other details which you think “oh I will remember that, it’s easy”….. No. Write it down!

Up to now we have:

  • Vendor
  • Make & Model
  • Serial Number
  • VID & PID

Onward to the next step!

This entry was posted in USB Forensics, Windows Forensics, Windows Registry Forensics and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s