Windows 10 introduced an event log of high value to digital forensic examiners and incident responders — especially when device attribution is required. Written for a technical audience, this blog shares the results of an analysis showing what can be stored in the log. Read the blog to gain insight into methodology, results and their relevance.
What is the Windows 10 Partition Diagnostic Event Log?
The Windows 10 Partition Diagnostic Event Log is a new event log introduced in Windows 10 that plays a crucial role for digital forensic examiners and incident responders. It is located at C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition-Diagnostic.evtx and stores vital information about both removable devices (like USB sticks and external hard drives) and internal hard disks. This log records events when devices are plugged in or removed, as well as during system boot, making it a valuable resource for recovering Volume Serial Numbers (VSNs) and attributing them to specific devices.
How many Volume Serial Numbers can be recovered?
From a single Windows event log entry, up to three Volume Serial Numbers (VSNs) can be recovered for devices that have multiple volumes. This capability is particularly useful for forensic investigations, as it allows examiners to retrieve VSNs even after a device has been formatted, thereby maintaining a historical record of the device's connections.
What limitations exist in the event log analysis?
Yes, there are several limitations to keep in mind. The event log primarily supports devices with MBR partition schemes and may not accurately log information for devices with GPT partition schemes. Additionally, the log does not retain information about the fourth partition of a device if it exists, and its lifespan is relatively short, as it can be cleared during major Windows updates. Furthermore, the log may not capture all details for certain file systems, such as EXT3, which could limit the comprehensiveness of the forensic analysis.
Sign in with LinkedIn