I was doing my monthly check of the e-Evidence.info site this morning, and I ran across an interesting article on how iPods are used as hard drives. So I plugged an iPod into my Windows box and fired up UVCView, and pulled the serial number from the device...in this case, "0000008A0136".
From there, I went to the Registry and navigated to the HKLM\System\CurrentControlSet\Enum Registry key, then dropped down and opened up the USBStor subkey. There, I found the device ID I was looking for...Disk&Ven_Apple&Prod_iPod&Rev_1.62. Beneath this subkey, I found the instance ID that contained the serial number of the device; "0000008A0136&0". From there, I mapped the ParentIdPrefix value to the corresponding value under HKLM\System\MountedDevices and located the drive letter that the device had been mapped to; in my case, \DosDevices\G:.
So what does this all mean? If you're looking around for who's been using iPods at work, you know which key to check. If you're performing a forensic investigation, you should check under the ControlSet00x key, rather than the CurrentControlSet key.
4 comments:
Great stuff! This should definitely go in the wiki!
Dude,
Send me the link to this Wiki, and I'll post it!
H
Or just plug the iPod to a Linux/BreeBSD/OS X box, where it appears as a regular drive.
To the Anonymous poster...
I'm not clear on what it is you're trying to say. This blog is about forensic analysis of Windows systems, and the information presented in this entry is specific to that topic. I'm not clear on how your post fits in with this...can you elaborate?
Thanks!
Post a Comment