When conducting a computer forensics investigation on a USB thumb drives, in addition imaging the drive, it is recommended that the PID and Serial numbers from the USB drive are obtained, particularly for those civil sector.
The reason is that those involved in the civil sector often image/collect the data at the scene and then have to return the original source media, leaving with only the images.
With hard drives, CDs, etc, this is not a problem, because an image obtains all of the data required, however with a USB drive this “may” not be the case.
A USB drive, the actual hardware, contains the serial number/PID of the device, which is not captured on the image.
This information can be important if the investigator is trying to prove that a particular USB drive was connected to a computer as the the serial number/PID of the USB drive is written the registry and Setupapi.log of the computer it is connected. If this information is not obtained from the USB thumb drive, at the time collection, this information may never be available again.[The USB drive could be lost, destroyed, or access refused].
If the USB Serial Numbers/PID are not available it may not be possible to prove a sequence of events, this is particularly important for data theft investigations.
Software tools are able to pull this information out of the USB drive, but this requires connecting a USB drive directly to a computer, which may not be feasible. Tableau’s hardware write blocker, the T8, for USBs, has the ability to display all of the information required.