Portable Devices on Vista

Rob Lee shared an interesting tidbit of Vista Registry goodness with me recently...basically, the Vista Registry maintains some historical data on the drive letters that had been assigned to portable devices. Sweet!

The key in question is:
HKLM\Software\Microsoft\Windows Portable Devices\Devices

The subkeys beneath this key contain the device names...and the FriendlyName value contains the drive letter.

Rob discovered this as a part of the Computer Forensics SANS course as part of the section on Application Forensics where he and the class were examining U3 device footprints on a VISTA machine. (rlee@sans.org for contact info)

Very cool, Rob, and thanks for sharing!

And yes, I've already written a plugin for RegRipper...I KNEW you were going to ask that! =)
The output looks like:

Device : DISK&VEN_APPLE&PROD_IPOD&REV_1.62
LastWrite : Fri Sep 21 01:42:42 2007 (UTC)
SN : 000A270018A0E610&0
Drive : IPOD (F:)

Device : DISK&VEN_BEST_BUY&PROD_GEEK_SQUAD_U3&REV_6.15
LastWrite : Thu Feb 7 13:26:19 2008 (UTC)
SN : 0C90195032E36889&0
Drive : GEEKSQUAD (F:)

Device : DISK&VEN_CASIO&PROD_DIGITAL_CAMERA&REV_1.00
LastWrite : Sat Dec 15 01:17:56 2007 (UTC)
SN : 6&14BB4B7C&0
Drive : Removable Disk (F:)