The Difference Between The Device and Volume Serial Numbers on a USB Device
A USB device normally contains 2 unique serial number identifiers, a device serial number and a volume serial number. The device serial number is embedded within the firmware of the device and is only visible from an examination of the device itself, whereas the volume serial number is accessible from a physical forensic image and relates to the time and date of the FAT or NTFS system used to format it.
The device serial number can be viewed by using ‘right-click’ ‘properties’ and ‘details’ within Windows Explorer on the device whilst it is connected, alternatively it is possible to use software such as USBDeview.
Windows USB Artefacts
When conducting an examination of a Windows based computer, the main locations that may contain evidence to indicate the devices connected to the system are as follows:
To identify the device serial number review the path \CurrentControlSet\Enum\USBSTOR that is within the SYSTEM file located within the directory path \Windows\System32\Config\ and the EMDMgmt entry at \Microsoft\WindowsNT\CurrentVersion\ within the SOFTWARE system file located within the same directory.
In order to identify the volume name of the device, review the entry named Devices within the path \Microsoft\Windows\Portable Devices\ within the SOFTWARE system file located at the path \Windows\System32\Config\.
The Volume GUID is a unique identifier attributed by Windows for each USB device and that attribute is available within the MountedDevices entry of the System file at \Windows\System32\Config\.
The manufacturer and Product ID of the device is available within the \CurrentControlSet\Enum\USB within the System file at the path \Windows\System32\Config\.
It is possible to identify the first time that the device was connected to the system by reviewing the USBSTOR entry at \CurrentControlSet\Enum\ within the SYSTEM file at \Windows\System32\Config\ as well as the setupapi.dev.log at the path \Windows\inf\ directory. The time that the device was last connected to the system can be found from the USB entry within the \CurrentControlSet\Enum\ path of the same SYSTEM file.
By reviewing the MountPoints2 located within the NTUSER.DAT hive file for a specific user at \Software\Microsoft\Windows\CurrentVersion\Explorer\ it is possible to identify when the device (from the GUID) had been last connected and which user profile had been active on the computer at that time.
When a file is accessed on a USB device, the volume serial number is retained within any LNK (link) file generated. This LNK file will also include the path, file name, creation and modified date of the file that was accessed and will allow the assessment of the types of files that were present on the USB device that was connected to the computer.
This evidence can be important in cases involving indecent images of children in criminal cases for example through to internal company investigations where an employee is suspected of copying or retaining confidential or sensitive data.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on email@example.com, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.