On to Part 4 of our ongoing discoveries about USB forensics.
A quick recap
So far we have managed to get details of two devices which have been connected to our image. We have looked at how to get:
We are now going to move on to the Volume Serial Number, this is created by Windows Vista and up Operating Systems each time the device is formatted. We will be looking in the EMDMgmt key for the Volume Serial Number, which according to this Technet blog around Windows Vista, is where the Operating system store details regarding “Ready Boost”; the idea behind Ready Boost was to use external USB devices as additional memory to increase performance. It never really took off. In my opinion this is a good thing from a forensics stand point, would we really want to be chasing down another USB device that has memory artefacts on it? I personally would rather have as much evidence in one place as possible. Especially when it comes to large scale jobs.
USB Hard Drive vs. USB Stick
As I mentioned in Part 3, one of the devices we are looking at is a cylindrical hard drive, it will be interesting to see if the Volume Serial Number exists in this key, as obviously it wont be fast enough to pass the benchmark…… let’s go find out.
Navigate to the following key:
And you will see the following
As you can see “My Drive” which we identified as the Hard Drive is listed, and above that we see “FOR408-USB”, so the answer is yes, it will be listed here!
I have highlighted here the string at the end of the Key name, this is a Decimal value of the Volume Serial Number, which is a Hexadecimal value (isn’t the registry fun…..). Convert this value, using Windows Calculator is probably easiest, into the Hex and you have your Volume Serial Number.
The Volume Serial Number of this device is “40034B65”. To confirm that this is correct there is another tool we can use, which is a command line tool called “Vol.exe”, this requires you to have the device connected, so use appropriate protection and document when and why you did it. The output of Vol.exe is shown below:
As you can see, the Volume Serial Number matches what we worked out manually above. Therefore showing that this device was installed on this machine and has not been formatted since (this is an important footnote, the Volume Serial Number can change for the device if it is formatted, as the Volume Serial Number is allocated after the Format!).
Make a note of the Volume Serial Number and the Volume Name for use in analysing the Link (.lnk) files, which I will cover later, as they can correlate this device to those Link files.
An important side note: As I have done more investigations I realised that this key will not be populated if the machine is deemed “too fast” for Ready Boost. This also changes depending on the OS
- Windows 7 – If an SSD is present Ready Boost is defaulted to off
- Windows 8 – If an SSD is present the system will test to see if Ready Boost is required
The reasoning behind turning off Ready Boost as far as I can tell is to do with write times to an SSD. As we all know SSDs are not as write tolerant as the older cylindrical disks therefore automatic defrag is disabled as is pre-fetch (which is another pain in the backside from a forensics standpoint!).
Knowing more about Ready Boost means that it should hopefully help to understand why a drive may not appear as expected in the EMDMgmt key; Windows wouldn’t attempt to make a cylindrical disk a Ready Boost device as there would be no increase in performance associated with it.