My friend and colleague, Kevin Ripa of the Grayson Group of Companies, has published some astonishing research [1] that shows Microsoft Windows can inaccurately report the serial numbers of the drives attached to the computer system and may even report the same incorrect serial number for multiple drives. This can lead a forensic analyst to draw the wrong conclusions and have a devastating impact on a legal case.
Windows stores information about the USB drives that have been attached to a computer system under the USBSTOR registry key. Forensic software reports out this information and sometimes the drives themselves are not in evidence. The Windows registry may be all the analyst has to work with.
Ripa's research casts doubt on the reliability of the registry to track the USB storage devices attached to the system under certain conditions. Therefore, it is of critical importance for a forensic analyst to validate the findings of their tools and to provide a caveat along with their analysis when discussing this registry artifact in their report.
Here is a summary of Ripa's findings:
- The Windows Registry may generate what Ripa calls a "Windows Assigned Device ID" and use that in lieu of a serial number when the hard drive or solid-state drive is connected to the computer via a USB serial device adapter.
- Microsoft may use the same synthesized serial number ("Windows Assigned Device ID") for a given adapter even when different drives are connected to it.
- The same USB serial device adapter may result in different synthesized serial numbers when used with different computers.
- In addition to synthesizing the serial number, Ripa observed that the registry misreported the size of a drive as being 3.5" when it was a 2.5" device.
- Windows may use the serial number of the external USB drive enclosure rather than the serial number of the drive inside the enclosure.
I just returned from the SANS Digital Forensics / Incident Response (DFIR) Summit 2023, and it was great to catch up with Kevin Ripa. I want to personally thank him for this amazing contribution to the forensic community and his thought leadership. My goal with this synopsis is to provide my non-technical audience with actionable information. I highly recommend reading his research for the technical details or get in touch with him.
As always, Lucid Truth Technologies stands ready to support your case involving digital forensics. Contact us today.
