Associating an exte...
 
Notifications
Clear all

Associating an external drive to a volume s/n

4 Posts
3 Users
0 Likes
745 Views
(@kossuth)
Posts: 22
Eminent Member
Topic starter
 

I am a Corporate Security Manager tasked with examining company devices. I am new to digital forensics and have begun to learn using Magnet Axiom. I've processed a case and identified a number of files that resided on the D\ drive which I've identified as an external hard drive. The LNK and Jump list artifacts identify the Volume name and s/n where the file resided. I also have identified a USB connection with the same drive manufacturer which I believe is the drive in question. I do not have the drive, is there a way to make the connection between the VSN and the HD?

 
Posted : 20/03/2019 7:40 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The LNK and Jump list artifacts identify the Volume name and s/n where the file resided. I also have identified a USB connection with the same drive manufacturer which I believe is the drive in question. I do not have the drive, is there a way to make the connection between the VSN and the HD?

Without the HD?
No, the volume serial number is generated (in windows by an unknown random or semi-random algorithm) at volume creation (format) time.
You need to have the HD to verify that the serial number of the volume (still) matches what you found.

If you have the GUID from the Registry Mountpoint you can decode it to know at what date/time it was connected (though the GUID will only provide something like "first time in the last period", i.e. on first connection the volume gets a GUID and a drive letter, and this is normally re-used unless the data in the Registry is overwritten) see
https://www.forensicfocus.com/Forums/viewtopic/t=15925/

jaclaz

 
Posted : 21/03/2019 9:02 am
(@kossuth)
Posts: 22
Eminent Member
Topic starter
 

Thank you.

 
Posted : 21/03/2019 12:28 pm
ntexaminer
(@ntexaminer)
Posts: 49
Eminent Member
 

I do not have the drive, is there a way to make the connection between the VSN and the HD?

Yes, you can correlate the VSN from LNK files and jump lists to a particular drive that was connected to the system. One place to check would be the EMDMgmt subkey of the SOFTWARE hive, but you shouldn't expect to find that subkey if the OS is running on an SSD.

If it's a Windows 10 system, you can leverage the Partition/Diagnostic event log for this correlation. I've written a blog post about doing this manually here. USB Detective will also handle the VSN extraction and correlation for you when processing event logs from a Windows 10 system.

Jason

 
Posted : 21/03/2019 3:11 pm
Share: