Windows Device Properties Parser
Notwithstanding that the EnCase System Information Parser already provides a lot of useful device-related information, the script outputs additional information, e.g., the last-removal (disconnected) date. It also links each device to its device-container, which has additional properties, e.g., the location of any custom container-icon that's been cached to the system disk.
Device containers are a relatively new concept in Windows. They reflect the fact that a single physical device may present more than one logical device.
For example, a removable USB disk will typically present at least 4 logical-devices: a USB-storage device, a disk, a Windows portable device (WPD), and one or more generic volumes.
Later versions of Windows link these devices through use of a GUID called the ContainerID.
Using the ContainerID to filter the spreadsheet and/or bookmarks produced by the script will allow the examiner to group together all of a physical device's properties in a way that may reveal relevant information that might otherwise be missed.
Please note that the script processes the current control set (CCS) only. It will not process the DEVPKEY_DeviceContainer_AssociationArray property on account of persistent corruption experienced when the underlying Registry hive file is parsed by EnCase without the associated log files.
For more information regarding device properties, please see the following link:
This script was developed for use in EnCase training. For more details, please click the following link:Download Now