I am a Corporate Security Manager tasked with examining company devices. I am new to digital forensics and have begun to learn using Magnet Axiom. I've processed a case and identified a number of files that resided on the D\ drive which I've identified as an external hard drive. The LNK and Jump list artifacts identify the Volume name and s/n where the file resided. I also have identified a USB connection with the same drive manufacturer which I believe is the drive in question. I do not have the drive, is there a way to make the connection between the VSN and the HD?
The LNK and Jump list artifacts identify the Volume name and s/n where the file resided. I also have identified a USB connection with the same drive manufacturer which I believe is the drive in question. I do not have the drive, is there a way to make the connection between the VSN and the HD?
Without the HD?
No, the volume serial number is generated (in windows by an unknown random or semi-random algorithm) at volume creation (format) time.
You need to have the HD to verify that the serial number of the volume (still) matches what you found.
If you have the GUID from the Registry Mountpoint you can decode it to know at what date/time it was connected (though the GUID will only provide something like "first time in the last period", i.e. on first connection the volume gets a GUID and a drive letter, and this is normally re-used unless the data in the Registry is overwritten) see
https://www.forensicfocus.com/Forums/viewtopic/t=15925/
jaclaz
Thank you.
I do not have the drive, is there a way to make the connection between the VSN and the HD?
Yes, you can correlate the VSN from LNK files and jump lists to a particular drive that was connected to the system. One place to check would be the
If it's a Windows 10 system, you can leverage the Partition/Diagnostic event log for this correlation. I've written a blog post about doing this manually
Jason