![Usbstor Raw Driver Usbstor Raw Driver](http://wopoiwii.weebly.com/uploads/1/2/7/2/127209243/552635743_orig.jpg)
I have also seen where neither the storage component of my Motorola MB300 BackFlip smartphone nor a Garmin Nuvi (both the SD card and the flash device) will have a ParentIdPrefix value populated beneath the unique instance ID key. Specifically, thumb drives contain a value within their unique instance ID key called the ParentIdPrefix external drives do not contain this value.
#USBSTOR RAW DRIVER WINDOWS#
Later, I disconnect the device and then at some point connect another device, which is also mounted as the F:\ drive.īefore continuing, we need to understand that Windows treats external USB drives (hard drives in enclosures, such as “wallet” drives) and thumb drives or USB keys differently.
![Usbstor Raw Driver Usbstor Raw Driver](https://1.bp.blogspot.com/-tUDtBuAgyvY/WoTDlSfyKYI/AAAAAAAAB5U/jnwZyVUVYvERbi-P9O491OcHX4VMx6ZCwCLcBGAs/s1600/windows-10-for-arm-image-1.png)
For example, I’ve connected a thumb drive to my system that has been mounted as the drive letter F:\. This may not always be possible, particularly if multiple devices had been connected to the system successively.
![Usbstor Raw Driver Usbstor Raw Driver](http://www.azzuo.com/images/screen-1.jpg)
Once we have information about the USB devices attached to the system, we can attempt to map that device to a drive letter. The Enum\USB key contains information about all USB devices that had been connected to the system (quite naturally, on some systems, I have entries for “Tableau USB-to-SATA” device), and the plugin will extract this information. The RegRipper plugin extracts information from the Enum\USBStor key specifically, for each device class ID, it lists the FriendlyName value (and on Windows XP and 2003 systems, the ParentIdPrefix value) for each unique instance ID (listed as “S/N” for “serial number” in the plugin output). As such, additional information related to the device is recorded in the MountedDevices key within the System hive, as well as two subkeys beneath the Control\DeviceClasses key. The storage device is then (most often) recognized as a disk device and mounted as a drive letter or volume on the system. Information about the device, extracted from the device descriptor (which is not part of the memory area of the device), is then stored in the System hive beneath the ControlSet00n\Enum\USBStor and …\USB subkeys. In short, when a USB device is connected to a Windows system, the Plug-and-Play (PnP) manager receives the notification and queries the device.
![Usbstor Raw Driver Usbstor Raw Driver](https://celestialge462.weebly.com/uploads/1/2/4/2/124284270/926636912.jpg)
Additional information regarding user-specific artifacts of USB devices will be covered in chapter “ Case Studies: User Hives” of this book. In short, the System hive maintains a great deal of information about the devices and when they were attached to the system. Research into this area has been going on for some time Cory Altheide and I published some of our joint research in this area in 2005, and some more recent analysis findings have been documented by Rob Lee on the SANS Forensic Blog (found online at ) on September 9, 2009. Harlan Carvey, in Windows Registry Forensics (Second Edition), 2016 USB DevicesĪnother item of interest to analysts will often be the devices (particularly USB devices) that had been attached to the system.