USB Forensics Update

Update #1

This is a late update to USB Forensics Part 4 – Volume Serial Number

An important side note: As I have done more investigations I realised that this key will not be populated if the machine is deemed “too fast” for Ready Boost. This also changes depending on the OS

  • Windows 7 – If an SSD is present Ready Boost is defaulted to off
  • Windows 8 – If an SSD is present the system will test to see if Ready Boost is required

The reasoning behind turning off Ready Boost as far as I can tell is to do with write times to an SSD. As we all know SSDs are not as write tolerant as the older cylindrical disks therefore automatic defrag is disabled as is pre-fetch (which is another pain in the backside from a forensics standpoint!).

Knowing more about Ready Boost means that it should hopefully help to understand why a drive may not appear as expected in the EMDMgmt key; Windows wouldn’t attempt to make a cylindrical disk a Ready Boost device as there would be no increase in performance associated with it.

Update #2

In relation to USB Forensics Part 5 – Determine the Drive Letter

Disk Signature

I would like to make a correction to the first paragraph of this post, I stated that “E: drive has no usable data in it” after continuing research I have discovered that is not accurate. The data held under E: does have useful information in it! From the screen capture above we can see the Hex value “00 73 B5 A4” this is the “Disk Signature” of the drive used. Using a Hex editor like HxD it is possible to open the physical disk and find this string under 0x000001B8-0X000001BB – this is where I have found it in relation to “00 55” marking the end of the MBR sitting at 0x000001FE-0x000001FF on the devices I had available to me.

This ID assigned to the Master Boot Record (MBR) so is not  permanent, but if the disk has not been formatted or you can recover the data around the MBR, it may help to prove this device was connected.

This entry was posted in USB Forensics, Windows Forensics, Windows Registry Forensics, Windows Registry Forensics and tagged , , . Bookmark the permalink.

1 Response to USB Forensics Update

  1. Pingback: USB Forensics Pt. 4 Volume Serial Number | Hats Off Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s