Mounted Devices

Ever wondered what devices have been mounted to your Windows system, particularly external storage devices? Things like USB-connected storage? Well, it's not hard to tell. Simply navigate to the following Registry key:

HKLM\System\MountedDevices

If you're using RegEdit, the Name column in the right-hand pane will list a series of entries. Right-click on one that looks like "\DosDevices\", and choose "Modify Binary Data" from the context menu that appears. An "Edit Binary Value" dialog window will open, and for external storage devices, you'll see "\??\Storage#RemoveableMedia" at the beginning of the entry.

Tools like the First Responder Unit, part of the Forensic Server Project, can be used to retrieve this data from a system. An interesting side effect is that the FRU will also get the LastWrite time of the Registry key, letting you know when the last entry was written to MountedDevices.