DFIR Review

USB Forensics – Recover more Volume Serial Numbers (VSNs) with the Windows 10 Partition/Diagnostic Event Log

0
Updated

Research

White papers
  • DFIR Review
  • Windows
Tools
  • AXIOM
  • JLECmd
  • LECmd

Windows 10 introduced a new event log of vital importance for both digital forensic examiners and incident responders. The new Partition/Diagnostic event log is found at C:\Windows\System32\winevt\Logs\ Microsoft-Windows-Partition%4Diagnostic.evtx. We are not the first ones to analyze this artifact, in pursue of extracting and interpreting its valuable information. Harlan Carvey [1], Jason Hale [2][3], forensixchange [4] and Costas K. [5] have all analyzed and shed light into what can be stored in this event log.

Attachments

  • File Description
    File Size
    File Type
    Downloads
  • Volume Serial Number Recovery
    2 MB
    5