Rob Lee shared an interesting tidbit of Vista Registry goodness with me recently...basically, the Vista Registry maintains some historical data on the drive letters that had been assigned to portable devices. Sweet!
The key in question is:
HKLM\Software\Microsoft\Windows Portable Devices\Devices
The subkeys beneath this key contain the device names...and the FriendlyName value contains the drive letter.
Rob discovered this as a part of the Computer Forensics SANS course as part of the section on Application Forensics where he and the class were examining U3 device footprints on a VISTA machine. (rlee@sans.org for contact info)
Very cool, Rob, and thanks for sharing!
And yes, I've already written a plugin for RegRipper...I KNEW you were going to ask that! =)
The output looks like:
Device : DISK&VEN_APPLE&PROD_IPOD&REV_1.62
LastWrite : Fri Sep 21 01:42:42 2007 (UTC)
SN : 000A270018A0E610&0
Drive : IPOD (F:)
Device : DISK&VEN_BEST_BUY&PROD_GEEK_SQUAD_U3&REV_6.15
LastWrite : Thu Feb 7 13:26:19 2008 (UTC)
SN : 0C90195032E36889&0
Drive : GEEKSQUAD (F:)
Device : DISK&VEN_CASIO&PROD_DIGITAL_CAMERA&REV_1.00
LastWrite : Sat Dec 15 01:17:56 2007 (UTC)
SN : 6&14BB4B7C&0
Drive : Removable Disk (F:)
Thats good!
ReplyDeleteIn the XP registry, a U-3 leaves two keys in HKLM\SYSTEM\ControlSet001\Enum\USBSTOR. One is for the "CD," and the other is for the disk drive. (I think that I sent you an XP System hive with U-3 entries.) However, in taking a quick look at a Vista registry while writing, it seems that there are far more entries under the Portable Devices key than in USBSTOR. Several exist for the same type of device, e.g., a Sony DSC, which strikes me as odd. Could be worth a study. Want a couple keys? :-)
ReplyDeleteIn the display that you presented, I think that the Geeksquad entry refers to the disk drive and not to the CD. The distinction is important, and perhaps the cited Vista key does not list the virtual CD associated with U-3s.
Jimmy,
ReplyDeleteIn the XP registry, a U-3 leaves two keys...
Yes, this was documented in my book.
Several exist for the same type of device...
I noticed that, too. I also noticed that each of the keys had a different LastWrite time, as well.
The distinction is important...
Agreed, but in the excerpt I displayed in my blog post, there had been no U3 devices plugged into that system...the GeekSquad device you see was plugged in after I had removed the U3 components.
Great Work! Thank u for wonderful information.
ReplyDelete