Have any Question?

You can ask below or enter what you are looking for!

USB Forensics Volume Serial Number

We are now going to move on to the Volume Serial Number, this is created by Windows Vista and up Operating Systems each time the device is formatted. We will be looking in the EMDMgmt key for the Volume Serial Number, which according to this Technet blogaround Windows Vista, is where the Operating system store details regarding “Ready Boost”; the idea behind Ready Boost was to use external USB devices as additional memory to increase performance. It never really took off. In my opinion this is a good thing from a forensics stand point, would we really want to be chasing down another USB device that has memory artifacts on it? I personally would rather have as much evidence in one place as possible. Especially when it comes to large scale jobs.

USB Hard Drive vs. USB Stick

As I mentioned in Part 3, one of the devices we are looking at is a cylindrical hard drive, it will be interesting to see if the Volume Serial Number exists in this key, as obviously it wont be fast enough to pass the benchmark…… let’s go find out.

Navigate to the following key:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt

As you can see “My Drive” which we identified as the Hard Drive is listed, and above that we see “FOR408-USB”, so the answer is yes, it will be listed here!

I have highlighted here the string at the end of the Key name, this is a Decimal value of the Volume Serial Number, which is a Hexadecimal value (isn’t the registry fun…..). Convert this value, using Windows Calculator is probably easiest,  into the Hex and you have your Volume Serial Number.

The Volume Serial Number of this device is “40034B65”. To confirm that this is correct there is another tool we can use, which is a command line tool called “Vol.exe”, this requires you to have the device connected, so use appropriate protection and document when and why you did it. The output of Vol.exe is shown below:

As you can see, the Volume Serial Number matches what we worked out manually above. Therefore showing that this device was installed on this machine and has not been formatted since (this is an important footnote, the Volume Serial Number can change for the device if it is formatted, as the Volume Serial Number is allocated after the Format!).

Make a note of the Volume Serial Number and the Volume Name for use in analysing the Link (.lnk) files.

An important side note: As I have done more investigations I realized that this key will not be populated if the machine is deemed “too fast” for Ready Boost. This also changes depending on the OS

  • Windows 7 – If an SSD is present Ready Boost is defaulted to off
  • Windows 8 – If an SSD is present the system will test to see if Ready Boost is required

The reasoning behind turning off Ready Boost as far as I can tell is to do with write times to an SSD. As we all know SSDs are not as write tolerant as the older cylindrical disks therefore automatic defrag is disabled as is pre-fetch (which is another pain in the backside from a forensics standpoint!).

Knowing more about Ready Boost means that it should hopefully help to understand why a drive may not appear as expected in the EMDMgmt key; Windows wouldn’t attempt to make a cylindrical disk a Ready Boost device as there would be no increase in performance associated with it.

Leave a Reply

Your email address will not be published. Required fields are marked *