Search Results

When investigating devices connected to a computer, every small detail can help. Identifying Drive letter: For instance, the v olume name  used by a device can link it to files like LNK files , which store volume name The drive letter  assigned to the device can lead us to other artifacts like Prefetch files, RecentDocs, Jump Lists, ShellBags, and more. But there’s a catch: drive letter info isn’t always available . Windows only keeps records of the last device  assigned to a specific drive letter. Also, the same drive letter can be reused for multiple devices(This can be problematic in because most recent device and its associated information will be recorded). Still, certain artifacts, especially in newer Windows versions (10 and 11), tend to stick around longer, even after system updates. ------------------------------------------------------------------------------------------------------------ Let’s look at two key places where you can dig for drive letter and volume name info: VolumeInfoCache  and MountedDevices . 1. VolumeInfoCache: A Quick and Easy Check If you're using Windows 7 or later, this is your starting point. The VolumeInfoCache is located at: SOFTWARE\Microsoft\Windows Search\VolumeInfoCache This key contains sub-keys for each drive letter (like C:, D:, E:, etc.). Each sub-key has a VolumeLabel  value, which tells you the volume name of the last device connected to that drive letter. Why use it? Quick and simple:  It’s easier to read compared to other registry keys. Good for SCSI drives and VHDs:  Especially useful for modern devices like virtual hard drives or USB drives using UASP mode. Limitations: Only records the last device  assigned to each drive letter. Timestamps here (the “last write time” of sub-keys) aren’t always reliable for figuring out exactly when the device was connected. 2. MountedDevices: A More Detailed Look If VolumeInfoCache doesn’t give you what you need, try checking SYSTEM\MountedDevices : This key tracks drive letters and the devices mounted to them. It’s especially useful for USB thumb drives ( USBSTOR  devices). How it works: Look for values like \DosDevices\E:  (where "E:" is the drive letter). Inside the value data, search for the device's iSerialNumber . This links the drive letter to the specific device. Things to keep in mind: Devices can be mounted with different drive letters  over time, so check all drive letter values. You might not find a match if another device was mounted at the same drive letter later. ------------------------------------------------------------------------------------------------------------- Special Cases: Hard Drives and Partition Types Hard drives and SSDs (especially those with multiple partitions) are trickier to profil e. Here’s how they work based on the partition scheme: GPT Partitions: Values start with DMIO:ID. The last 16 bytes in the value are the Unique Partition GUID . Search for this GUID in the registry to find keys tied to the original device. For MBR Partitions: If you do not see DMIO:ID at the start of a drive letter value , and do not see a USBSTOR Device ID and iSerialNumber , you are likely looking at partition data from a device using the older Master Boot Record (MBR) partition scheme The first 4 bytes represent the Disk Signature . Search for this Disk Signature in the registry to uncover related keys that identify the device ------------------------------------------------------------------------------------------------------------- Why This Matters Understanding where and how to find drive letter and volume name info can make all the difference in your investigation. While VolumeInfoCache is a fast and easy starting point, SYSTEM\MountedDevices gives you a deeper dive , especially for older or more complex devices. With these tools, y ou’ll be able to connect devices to their artifacts and uncover the story behind what was plugged in and when. ------------------------------------------------------------------------------------------------------------- What’s a Volume GUID? A Volume GUID  (Globally Unique Identifier) is Windows’ way of identifying a specific volume or partition on a device. It’s a unique name enclosed in curly braces \??\Volume{???????-????-????-????-??????} For devices like USB flash drives ( MSC USBSTOR ), this Volume GUID can help us track down user activity tied to the device in later steps. How to Find Volume GUIDs for USB Devices If you’re profiling a USB flash drive, check the value data  of Volume GUID entries within the MountedDevices  key. Look for the device’s iSerialNumber  (the unique serial number). If it matches, you’ve found the Volume GUID for that device. Why Is This Step Important? This step lets you: Tie the device to a GUID:  This helps you match the device with its associated user account in later steps. Track user activity:  You’ll need this Volume GUID to dive deeper into the behavior of the device and its user. Special Note: This method only works for MSC USBSTOR  devices, like USB flash drives. For other device types, y ou’ll need to rely on Windows Event Logs to identify which user account was active at the time the device was connected or used. ------------------------------------------------------------------------------------------------------ I know this is alot of information and I want to make thing wasy for you So you ready lets start Lets say you +you’ve identified a unique identifier for your device, such as the iSerialNumber . Registry explorer lets you search across all loaded registry hives at once, saving you a lot of time. How to Search for Device Information Load the right hives Make sure you’ve loaded the SYSTEM , SOFTWARE , and user NTUSER.DAT  hives in Registry Explorer. These hives contain most of the data related to devices. Use the Find option: Go to Tools > Find  and search for the device’s iSerialNumber  (or another unique identifier diskid ). Review the results: If the device information is still present in the registry, you’ll likely see many search hits. Not all of them will be relevant, so focus on keys needed for device profiling. What to Look For Search results will typically include keys that provide: Device ID Last Mountpoint Drive Letter Volume GUID You may also find hits in less common locations, like Windows Portable Devices , which could provide additional details. Double-click any result of interest to jump directly to that registry key within Registry Explorer. Work Smarter, Not Harder While it’s possible to manually comb through the registry to profile a device, this process can be incredibly time-consuming—especially if you’re dealing with multiple devices. By using unique identifiers and leveraging tools like Registry Explorer’s search function, you can dramatically speed up the process. -----------------------------------------------Dean-------------------------------------------------

Windows logs are full of juicy forensic breadcrumbs: logon events, privilege use, command executions, It’s an open-source digital forensics and incident response (DFIR) framework, and Hayabusa fits in beautifully www.cyberengage.org/courses-1/mastering-velociraptor%3A-a-comprehensive-guide-to-incident-response-and-digital-forensics avoid triggering antivirus tools like Windows Defender and to minimize file writes  on disk (protecting forensic -------------------------------- Final Thoughts If you’re working in threat detection, response, or forensics

Forensic Mindset article let’s be honest—when you're knee-deep in a digital forensic investigation or But this is actually where the real DFIR (Digital Forensics and Incident Response) journey begins. -- Complexity ✅ Simple config ⚠️ Varies with features Use Case 🟡 Light monitoring 🟢 Heavy-duty, IR, forensics

Memory forensics  involves extracting and analyzing data from a computer's volatile memory (RAM) to identify potential Indicators of Compromise (IOCs) or forensic artifacts crucial for incident response. provide practical examples, and explore how they can aid in quick identification of IOCs during memory forensics Advanced Usage with Offsets When you use strings with volatility (another powerful memory forensics -------------------------------------------------------------------------- Saving the Output Often, forensic

For those of us working in digital forensics  and incident response (DFIR) , keeping up with the cloud For those who are new to the cloud or want a quick start to cloud forensics, A mazon Machine Images SIFT (SANS Investigative Forensic Toolkit)  is a popular option for forensics analysis and is available Tasks with AWS Lambda One of the most exciting aspects of cloud-based forensics is the potential for Use the AWS Systems Manager (SSM)  agent to run forensic scripts on the instance.

Forensic Access : Forensics in a SaaS environment is usually limited to logs, often determined by the Cloud-Based Forensics vs. Traditional On-Premises Forensics With traditional on-premises forensics , investigators have deep access Cloud forensics, however, is a different story. Conclusion: Embracing Cloud Forensics in an Evolving Threat Landscape Cloud forensics presents a unique

When it comes to forensic investigations, Windows is often the primary focus. The Importance of Timestamps: MACB Much like in Windows, timestamps in Linux provide crucial forensic ************************************************** Key Linux Directories for Incident Response In a forensic Journaling and Forensic Analysis Linux filesystems like EXT3 and EXT4 use journaling to protect against data corruption , but accessing this data can be a challenge for forensic investigators.

backend engine powering log2timeline, while log2timeline is the tool we use to extract timestamps and forensic They can incorporate Windows event logs, prefetch data, shell bags, link files, and numerous other forensic This comprehensive approach provides a more holistic view of system activity, making it invaluable for forensic Filters: - Filter will tell logged timeline to go after specific files that would contain forensically extra Conclusion: In conclusion, Plaso/Log2Timeline stands as a cornerstone in the field of digital forensics

Velociraptor is a powerful tool for incident response and digital forensics, capable of collecting and Important Note:  This setup is intended for forensic analysis in a home lab, not for production environments client.config.yaml client -v This will configure Velociraptor to act as a client and start sending forensic decide to run Velociraptor manually or set it up as a service, you now have the flexibility to collect forensic explore the Velociraptor GUI interface , diving into how you can manage clients, run hunts, and collect forensic

This little-known database logs file system modifications, making it invaluable for forensic investigations Additionally , when individuals with limited forensic expertise are tasked with image collection, errors To address this challenge, I leveraged two powerful forensic artifact collection scripts: UAC ( https For instance, in this specific case, I used UAC  to extract key forensic data from a macOS system. Forensic analysts can extract and analyze .fseventsd data to reconstruct file system activity, including

In the ever-evolving landscape of cybersecurity, forensic investigators must be equipped with a diverse Sysmon logs, particularly Event ID 1, are invaluable for forensic investigators. $J and ZIP Files One of the key challenges in forensic investigations is detecting data exfiltration Documents" OR "TrustRecords") Conclusion By leveraging the tools and techniques outlined in this blog, forensic

This presents new forensic challenges  since not all files exist locally , and standard filesystem artifacts We’ll cover: ✅ How OneDrive’s new sync model affects forensic investigations ✅ Tracking cloud-only files & deleted data ✅ Using OneDrive’s forensic artifacts to recover missing evidence ------------------- A forensic image may miss cloud-only files  unless OneDrive logs or sync databases are analyzed. ---- ------- 2️⃣ Where to Find OneDrive Artifacts Even if files are not stored locally , OneDrive leaves forensic