This EnScript is designed to determine drive-letter assignments for volumes mounted under Microsoft Windows. The script supports FAT, exFAT and NTFS volumes located on basic (MBR) and GPT partitioned disks.
The script works by looking for FAT, exFAT and NTFS volumes in the current case. When it finds such a volume the script will create an internal list-item containing the volume's case-moniker and offset; also the 4-bytes at offset 440 on the host disk (these bytes represent the disk-signature on Windows disks). In addition to keeping a record of the disk-signature and volume-offset the script will also check to see if the host-disk is GPT-partitioned. If it is then the script will keep a record of the volume GUID. Whilst iterating the case looking for supported volumes, the script will also create a list of SYSTEM registry-hive files which it will subsequently parse.
The contents of the MountedDevices key from each hive will be enumerated and Registry values with a name of the form '\DosDevices\X:' identified. The value-data for each of these Registry hive files will be examined. If it is 12-bytes in length then it will be assumed to contain a 4-byte disk-signature followed by an 8-byte volume offset. If it is 24-bytes in length then it will be assumed to contain a signature that is 'DMIO:ID:' followed by a 16-byte GPT partition-GUID. After having parsed the data from each of the MountedDevice Registry values the script will examine its internal list of volumes looking for a match. If it finds one the script will bookmark the volume together with the drive-letter that is part of the Registry value-name.
Bookmarks will be grouped according to each SYSTEM Registry hive file that's been parsed. This is to take account of the fact that a volume might have been mounted by more than one installation of Windows. The examiner can jump to the volume referred-to by a bookmark by clicking the 'Go to file' button. The same applies to the bookmark created for each Registry file that's been parsed. Once all of the SYSTEM Registry hives have been processed the script will write a list of volumes marked as originating from fixed-disks that don't have drive-letters associated with them; these volumes will also be bookmarked.
It's important to bear in mind that identifying fixed-disk volumes is tricky. Some might actually have been mounted as USB disks; others might have been mounted via alternate means such as NTFS reparse points.
Please Note: The script will assume that every drive in the current case will have a unique signature; the same applies to volume GUIDs. If this isn't the case then the examiner may experience unexpected or inconsistent results. The script does not support the mapping of drive-letters for USB devices identified solely by device-path. This is a tricky business that requires the USB serial-number which is not guaranteed to be available. The examiner should bear in mind that the script may not be able to determine drive letter assignments for recovered partitions. This will most likely be due to the Registry entries for those partitions having been deleted when the partitions were deleted.
EnCase Forensic 7.1
The problem was that the drive letter I needed wasn't in the list.
A note for anyone who reads this in the future who does support - when working with someone who says "a drive letter is missing" make sure to understand if they mean the drive doesn't have a letter assigned, or if the problem is that the letter they need isn't available. I saw a LOT of this while I was researching this problem - I could tell that the person asking the question was saying that the letter wasn't in the list, but the person trying to help would just point them towards drive management (where they already were, if you read carefully)
In my case, it turned out I have software running that mounts iso files as CD drives. That's where the drive letter was - it had taken the assignment, but without an iso mounted, it didn't show up in drive management.
Philo Janus, MCP Author: Pro InfoPath 2007 Pro PerformancePoint 2007 Pro SQL Server Analysis Services 2008 Building Integrated Business Intelligence Solutions with SQL Server 2008 R2 & Office 2010 Blog @ http://philo.typepad.com/with-all-due-respect/