In Part 1 we discussed how to find the Unique Serial Number ID for the USB devices historically connected to the device you are investigating. The next step is a simple one, finding the VID & PID (I say simple, it’s simple when you know where to look and what you are looking at).

Where to look:

SYSTEM\CurrentControlSet\Enum\USB

This is the key directly above the USBSTOR from the previous step. There will be more devices in this part of the tree as this deals with all USB devices, not just those which can hold data. In order to find the correct device there is a little manual searching required, go through each key and expand it until you find the Serial Number matching the one in your notes. You can use CTRL+F to find this a little quicker, but it depends on how many keys are in the USB tree.

On the Key highlighted you can see the sub key identifies this by the Serial Number ID we discovered in the previous post. The VID and PID are preceded by “VID_” and “PID_” so our details are

• VID – 0bc2
• PID – 2101

As the investigation continues it is worth not only noting the details of what you found, but exactly where it was found, the time stamp for the last write time and any other details which you think “oh I will remember that, it’s easy”….. No. Write it down!

Up to now we have:

• Vendor
• Make & Model
• Serial Number
• VID & PID

Onward to the next step!