This EnScript is designed to determine drive-letter assignments for volumes mounted under Microsoft Windows.

The script supports FAT, exFAT and NTFS volumes located on basic (MBR) and GPT partitioned disks.

The script works by looking for FAT, exFAT and NTFS volumes in the current case. When it finds such a volume the script will create an internal list-item containing the volume's case-moniker and offset; also the 4-bytes at offset 440 on the host disk (these bytes represent the disk-signature on Windows disks).

In addition to keeping a record of the disk-signature and volume-offset, the script will also check to see if the host-disk is GPT-partitioned. If it is, then the script will keep a record of the volume GUID.

Whilst iterating the case looking for supported volumes, the script will also create a list of SYSTEM registry-hive files, which it will subsequently parse. The contents of the MountedDevices key from each hive will be enumerated and Registry values with a name of the form '\DosDevices\X:' identified.

The value-data for each of these Registry hive files will be examined. If it's 12-bytes in length then it will be assumed to contain a 4-byte disk-signature followed by an 8-byte volume offset. If it's 24-bytes in length then it will be assumed to contain a signature that is 'DMIO:ID:' followed by a 16-byte GPT partition-GUID.

After having parsed the data from each of the MountedDevice Registry values, the script will examine its internal list of volumes looking for a match. If it finds one, the script will bookmark the volume together with the drive-letter that is part of the Registry value-name.

Bookmarks will be grouped according to each SYSTEM Registry hive file that's been parsed. This is to take account of the fact that a volume might have been mounted by more than one installation of Windows. The examiner can jump to the volume referred-to by a bookmark by clicking the 'Go to file' button. The same applies to the bookmark created for each Registry file that's been parsed.

Once all of the SYSTEM Registry hives have been processed, the script will write a list of volumes marked as originating from fixed-disks that don't have drive-letters associated with them; these volumes will also be bookmarked. It's important to bear in mind that identifying fixed-disk volumes is tricky. Some might actually have been mounted as USB disks; others might have been mounted via alternate means, such as NTFS reparse points.

Please note that the script will assume that every drive in the current case will have a unique signature; the same applies to volume GUIDs. If this isn't the case then the examiner may experience unexpected or inconsistent results.

The script does not support the mapping of drive-letters for USB devices identified solely by device-path. This is a tricky business that requires the USB serial-number, which is not guaranteed to be available.

The examiner should bear in mind that the script may not be able to determine drive-letter assignments for recovered partitions. This will most likely be due to the Registry entries for those partitions having been deleted when the partitions were deleted.

This script will not work properly in EnCase 21.2 due to a change in the way that the device cache is implemented. This issue should be fixed in EnCase 21.3.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training