Jump to content

LzyRgr

Member
 View Profile  See their activity

  • Posts

    2

  • Joined

  • Last visited

  • Donations

    0.00 USD 

  • Country

    United States

 Content Type 

Everything posted by LzyRgr

  1. LzyRgr
    Thank you all for the quick responses. Jaclaz had it. Marrying the 4-byte volume ID in the MBR (decimal offset 440) to the data in the value field for \Dos\Devices\*: in the subkey \System\[CurrentControlSet]\MountedDevices did the trick. That data field is mirrored for the VolumeIDs in the same subkey. Thanks again. Dajuad - The info2 files gives you the logical drive letter it was assigned. If you are looking at it, clearly you have the physical device. You could show by the SID assigned to the recycle bin that is resolves to a user account listed in the Registry. I would think that becomes labor intensive if the SID belongs to a deleted account.
  2. LzyRgr
    This is a forensics question. I am in dire need of some help. I have a box of hard drives. I have a Windows XP desktop that has hosted one (or more) of these drives as a second physical drive. I need to be able to prove which drives out of the box (I know for sure one was) were connected (via IDE) to the desktop. Any thoughts on how to do that? There is some Registry data available but not enough. The file system located \Windows\system32\config makes up part of the Registry [HKEY_LOCAL_MACHINE]. There are two sub-keys of note here: HKEY_LOCAL_MACHINE\MountedDevices HKEY_LOCAL_MACHINE\[CurrentControlSet]\Enum\IDE \MountedDevices contains sukeys for volume IDs (some sort of GUID) and the most recent drive letter assignments. It is only the most recent as you will find many more volume IDs than \Dos\Device\[DriveLetter]: subkeys. The volume ID subkeys can be paired to drive letter subkeys because both will have the matching data in the value field. HKEY_LOCAL_MACHINE\[CurrentControlSet]\Enum\IDE contains subkeys for hardware that has been attached. Each device has a subkey and there is some sort of logic used in the naming of the subkeys. It appears as if it has something to do with the model number of the physical device then a subkey with some sort of MS naming convention, and the bus id (location:channel:target:lun). Nothing in these keys ties back to \MountedDevices. I found a file setup.txt in \Windows that lists the physical drives by the name given in HKEY_LOCAL_MACHINE\[CurrentControlSet]\Enum\IDE and a drive letter assignment. Is there a file that records drive letter assignment per device at startup? Thanks
×
×
  • Create New...