When everything is ones and zeros, how do we locate meaningful evidence relating to the unauthorised use of USB devices?
There are four key identifiers we search for as follows:
- Volume Name
- Drive Letter
- Volume Serial Number
- Device Serial Number
The volume name is simply a name the user gives a ‘volume’ or ‘partition’, and there is no requirement for it to be unique. It tends to be a human readable name like “My USB Drive” and is stored on the device itself. In the case of USB devices, they will be formatted with a default partition and a volume name. This can pose difficulties in situations where many USB devices of the same manufacturer are located, all having the same factory default volume name. Alongside this, the fact that the volume name can be trivially changed by even an unskilled user makes it difficult to rely on the name when tracking a device. A strength of the volume name is that by being human readable and easily editable, it tends to provide us as analysts with a clue as its user purpose. For example, “Study” is probably for studying, “Work Files” may contain confidential information. Of course, we don’t judge a book by its cover so we will look at both.
The operating system assigns each partition with a unique drive letter (e.g. D or E drive). When the operating system detects a new partition it will often assign it the next free drive letter in alphabetical order. This assignment exists only within the operating system, it is not recorded onto the USB drive itself. No two partitions can be assigned the same drive letter at the same time. When a partition is unmounted (say, the USB key is removed from the machine) it’s letter is freed up and the operating system will happily assign that now free drive letter to any new partition it detects. For example, a USB plugged in one day may be the ‘D Drive’, and a different USB plugged in the next day may also be assigned the ‘D Drive’. Just like the volume name, this has pros and cons. Most machines have a fixed setup of drives meaning these drive letters actually are unique over time, C: drive is always C: drive. This also makes removable drives more obvious to the analyst, as any references to drives other than the usual fixed partitions are likely to refer to some other drive connected and disconnected, and hence, be of interest.
Volume Serial Number
The volume serial number is created when the partition is formatted. Each time a device is formatted, the serial number is reset. This number is essentially unique to each device, and is stored on the device itself. It remains constant as the USB device is used across different computers. As such, we can often use it to follow the evidential trail of a USB device as it is plugged into different machines.
Device Serial Number
Most USB devices are also allocated a unique serial number by the manufacturer and built into the device. These serial numbers are unique and static, and can be relied upon to uniquely identify a device. Unfortunately not all devices have a device serial number, in which case the operating system may create one for its own internal use but this will not be consistent across machines. However, the generated serial numbers can be distinguished from true serial numbers.