Have any Question?

You can ask below or enter what you are looking for!

Category: USB Forensics

First / Last USB Plugged in

Navigate to the following file: %WINDIR%\inf\setupapi.dev.log This is very similar to the setupapi.log from Windows XP, except Microsoft moved it slightly further away. They have a habit of doing this I suspect its to charge more for consultancy or something. Setupapi.dev.log can be viewed in a highly complex program known . . . Read more

USB Forensics Volume Serial Number

We are now going to move on to the Volume Serial Number, this is created by Windows Vista and up Operating Systems each time the device is formatted. We will be looking in the EMDMgmt key for the Volume Serial Number, which according to this Technet blogaround Windows Vista, is where . . . Read more

USB Forensics Volume Name

We will discover the Volume Name of the USB device. This can be helpful when looking into Link (.lnk) files (which I will cover in a later blog post). It can also occasionally go as supporting evidence if the user has named the volume after their own name, or better . . . Read more

USB Serial Number

To find the Serial number from of a USB device we must start our investigation on the Registry’s System Hive. Navigate to the following Key SYSTEM\CurrentControlSet\Enum\USBSTOR This key will display all of the USB devices plugged into the machine regardless of user. The serial number will be a sub-key of . . . Read more