Description: Discover the last drive letter of the USB Device when it was plugged into the machine.
Location:
Drive Letter:
Volume Name:
Notes: Identify the USB device that was last mapped to a specific drive letter. This technique will only work for the last drive mapped. It does not contain historical records of every drive letter mapped to a removable drive.
Analysis:
Work in Progress!
We can use Registry Explorer
by Eric Zimmerman to analyze the SYSTEM and SOFTWARE registry hives to determine the last device that was mapped to a Drive Letter by Windows. In addition, we can also use the registry to identify the friendly volume name of a USB device.
To determine the last device assigned to a Drive Letter by Windows, we can load the SYSTEM registry hive and analyze the SYSTEM\MountedDevices key. Windows keeps track of information about the last connected device.
The key will display some basic information about the device and unique serial number.
IMAGE OF SYSTEM\MountedDevices
In order identify what USB device, well need to cross-reference the serial number we captured with data from the SYSTEM\CurrentControlSet\Enum\USBSTOR
Using Registry Explorer
by Eric Zimmerman, we can
load the SOFTWARE registry hive and analyze the SOFTWARE\Microsoft\Windows Portable Devices\Devices key.