This is a late update to USB Forensics Part 4 – Volume Serial Number
An important side note: As I have done more investigations I realised that this key will not be populated if the machine is deemed “too fast” for Ready Boost. This also changes depending on the OS
- Windows 7 – If an SSD is present Ready Boost is defaulted to off
- Windows 8 – If an SSD is present the system will test to see if Ready Boost is required
The reasoning behind turning off Ready Boost as far as I can tell is to do with write times to an SSD. As we all know SSDs are not as write tolerant as the older cylindrical disks therefore automatic defrag is disabled as is pre-fetch (which is another pain in the backside from a forensics standpoint!).
Knowing more about Ready Boost means that it should hopefully help to understand why a drive may not appear as expected in the EMDMgmt key; Windows wouldn’t attempt to make a cylindrical disk a Ready Boost device as there would be no increase in performance associated with it.
I would like to make a correction to the first paragraph of this post, I stated that “E: drive has no usable data in it” after continuing research I have discovered that is not accurate. The data held under E: does have useful information in it! From the screen capture above we can see the Hex value “00 73 B5 A4” this is the “Disk Signature” of the drive used. Using a Hex editor like HxD it is possible to open the physical disk and find this string under 0x000001B8-0X000001BB – this is where I have found it in relation to “00 55” marking the end of the MBR sitting at 0x000001FE-0x000001FF on the devices I had available to me.
This ID assigned to the Master Boot Record (MBR) so is not permanent, but if the disk has not been formatted or you can recover the data around the MBR, it may help to prove this device was connected.