- #Apple serial number finally forensic analysis serial numbers#
- #Apple serial number finally forensic analysis serial number#
- #Apple serial number finally forensic analysis software#
- #Apple serial number finally forensic analysis windows#
The first device I tested was a bare 2.5” Seagate drive. To demonstrate this, I conducted a number of tests against 3 different USB devices.
#Apple serial number finally forensic analysis serial numbers#
Oh, and it gets worse! It seems that the serial numbers reported above (no matter which ones you pick), are often not even the actual device serial number! It turns out this is not exactly correct. We were told that this meant the value was generated by the computer at the time of insertion, and not from the factory when the USB device was built.
#Apple serial number finally forensic analysis serial number#
It turns out that the number being referred to as the serial number is very much an arbitrary value, and I don’t just mean “serial numbers” with an ampersand (&) as the second character. But that is a conversation for another day. WHAT? The difference has to do with how the device identifies to the computer. This key also contains USB connected device information. Run your eyes up the registry path and you will see a key named SCSI. The problem with this is that the value is not coming from under the SCSI key in the registry (although it could).Īs an aside, it might come as a surprise to many forensicators that the USBSTOR key does NOT contain all USB devices that have been attached. I have also now seen the value from above under serial number referred to as a “SCSI serial number”. Clearly, what we have been calling the serial number does not conflate with what the identification in Powershell calls a serial number.Īs if that wasn’t confusing enough, according to Microsoft,, the string listed above under pnpdeviceid is also identified as an “iSerialNumber”, and defined as, “… a device-defined index of the string descriptor that provides a string that contains a manufacturer-determined serial number for the device.” You will see in the following research that they are NOT reporting the “manufacturer-determined serial number”. In the diagram below, a command in Powershell lists some values regarding the above two USB devices. As you can see, this can become confusing! Oddly enough, in the places where they call this the Product ID, they identify a different value as the Serial Number. As it turns out, Microsoft themselves report that this is variously an “iSerialNumber”, or a “Product ID”. Unfortunately, as with many things in forensics, the devil is in the details. It has long been held (and reported) that this value is the serial number of the device. After identifying the device Vendor and Product, we proceed to the subkey of that key, and we see the values as shown in the diagram below. We have often started in the USBSTOR key, and then drilled down to identify the USB device. The issue has to do with incorrect, inconsistent, and poorly documented nomenclatureįor anyone who has been doing forensics for any period of time, you will be familiar with the location of USB device artifacts in the registry. Unfortunately, this evidence often can only withstand scrutiny in the absence of the USB devices being reported. The notion that we can determine what USB devices have ever been attached to a system even though the devices are no longer present, is astonishing to the uninitiated. Remember that usually, USB investigation is happening in the complete absence of any of the USB devices being investigated. When the many, disparate breadcrumbs of usage are pulled together in a coherent assemblage of user activity, the results can be shocking in their clarity. The difficulty comes in attempting to make sense of all this data.
#Apple serial number finally forensic analysis windows#
Oxygen Forensic® Detective is distributed in a USB dongle and is valid for a single user.Thank you to Daniel Dickerman and Chad Tilbury for initially sending me down this rabbit hole!Įvidence surrounding the use of USB devices is an often sought-after forensic treasure trove, due to its verbosity in the operating system, as well as the Windows Registry. By using the integrated industry-leading analytical tools to find social connections, build timelines, and categorize images, law enforcement, corporate investigators and other authorized personnel can help make this world a safer place. The cutting-edge and innovative technologies deployed in Oxygen Forensic® Detective include, but are not limited to, bypassing screen locks, locating passwords to encrypted backups, extracting and parsing data from secure applications and uncovering deleted data.įurthermore, multiple extractions can be investigated in a single interface to gain a complete picture of the data. Oxygen Forensic® Detective can also find and extract a vast range of artifacts, system files as well as credentials from Windows, macOS, and Linux machines.
#Apple serial number finally forensic analysis software#
Oxygen Forensic® Detective is an all-in-one forensic software platform built to extract, decode, and analyze data from multiple digital sources: mobile and IoT devices, device backups, UICC and media cards, drones, and cloud services.