This particular topic was previously discussed in this blog (and here's another, much older post), but sometimes processes like this need to be revisited. Before we start, however, it's important to point out that this process will work only on Windows Vista systems and above, due to the information that is required for the process to work properly.
A Windows shortcut/LNK file can contain volume serial number, or VSNs. This is intended to be a unique 4-byte (DWORD) value that identifies the volume, and is changed when the volume is reformatted. Many tools that parse LNK files will display the VSN in their output, if one exists.
Note: Prefetch files include a volume information block which also contains a VSN. If this information is different from the local system...that is, if a user launched an application from an external storage device...you can also use this process to correlate the VSN to the particular device. You can view the VSN for a volume on a live system by navigating to the volume via the command prompt and typing the 'vol' command.
The EMDMgmt key (within the Software hive) contains information about USB external devices connected to the system. This information is generated and used by the ReadyBoost service, at least in part to determine the suitability of the device for use as external RAM.
The path to the key in question is:
This key will contain subkeys that pertain to and describe external storage media. The subkeys that we're interested in are those that begin with "_??_USBSTOR#". These subkey names are very similar to artifacts found in the System hive, particularly in the USBStor subkeys. These subkey names include device serial number, as well a volume name (if one exists) and a VSN in decimal format.
An example of such a subkey name, with the VSN in bold, appears as follows:
For those subkeys that pertain to USB thumb drives, the emdmgmt.pl RegRipper plugin will parse the subkey name, and display the VSN formatted in a usable, understandable manner. That is to say that the plugin will translate the decimal value for the VSN into a hexidecimal format, and display it in the same manner as the VSN seen in LNK and Prefetch files, as well as what is displayed by the vol command on live systems.
Now that we have these two pieces of information, we can correlate LNK files (or Prefetch files, if necessary) to a particular device, based on the VSNs. I've used this technique a number of times, most recently in an attempt to determine a user's access to a particular device (remember, LNK files are most often associated with a user, as they are often located within the user's profile). If you know what it is that you're attempting to determine or demonstrate...that is, the goals of your analysis...then the tools and artifacts tend to fall right into place. When I've had to perform this type of correlation of artifacts, because of the tools I have available, this analysis is complete in just a few minutes.
As a final note, do not forget the value of historical information on the system, particularly for the Registry. The RegBack folder should contain a backed-up copy of the Software hive, and there is additional information available in VSCs. Corey Harrell has a number of excellent posts on his blog that demonstrate how to use simple tools and processes...batch files...to exploit the information available in VSCs.
MS-SHLLINK file format specification
Description of EMDMgmt RegRipper plugin