Have any Question?

You can ask below or enter what you are looking for!

USB Forensics Volume Name

We will discover the Volume Name of the USB device. This can be helpful when looking into Link (.lnk) files (which I will cover in a later blog post). It can also occasionally go as supporting evidence if the user has named the volume after their own name, or better yet something telling like “Hacking Tools”.

Windows 7 upwards introduced a new key to the Registry which makes finding the Volume Name a lot easier than previous versions. Navigate to the following location:

SOFTWARE\Microsoft\Windows Portable Devices\Devices

This key is not particularly user friendly, in terms of readability, there are worse ones out there though! The Serial Number will be the string you are searching for.

As you can see above the Unique Serial Number is displayed in the red box.

And this shows us the Volume Name of the USB stick from SANS named “FOR408-USB”

Before we continue……

Something I noticed while looking at these keys, the highlighted key is not the device I wanted to demonstrate, the one I wanted to show is below it it. The second key however does not have the Serial Number in the key name. So how can we prove this is the same device?

I went back to the USBSTOR key for a little more information, after all this key was created as a result of the installation of the USB device the same as in the USBSTOR. Therefore logically there must be a way to correlate one to the other. So I started looking at the other characters in the key.

The “SWD#SPDBUSENUM#” is repeated on the third key, which is not the same device, therefore I discounted this from this investigation. I next looked at the bracketed string starting “{C0B076c6….. ” and discovered it is a reference to a value held under

SYSTEM\CurrentControlSet\Enum\USBSTOR\<Device>\<SerialNumber>\Device Parameters\Partmgr

Under “DiskId” as highlighted on the right, you can see the corresponding string (this is not true of the other USB device however).

Using this correlation, albeit a weak one, you can see that the Volume Name is set to “My Drive”, which is the correct device.

Leave a Reply

Your email address will not be published. Required fields are marked *