Re: [sleuthkit-users] Serial number of drive from dd image
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Serial number of drive from dd image
|
From: Matthew M S. <mm...@ta...> - 2005-03-21 19:36:31
|
On Mon, 2005-03-21 at 13:58, Lisa Muir wrote: > Hello group, > > I've recently been assigned a case where I will have the opportunity > to examine a drive while supervised by the other side. > > We're basically validating/refuting evidence that has already been presented. > > One thing that has been requested of me, is to verify the serial > number of the drive in question - however, I'll only have access to > the actual dd image, which is supposed to be a dd image of the entire > device. > > *if* the serial number was in there, where would I look? or how can I > determine this? Depends on the operating system... Linux, I'd check the /var/log/messages file for the kernel boot messages. Windows.. Well, you might be stuck here, you can always check the event log files for failed drive events, these typically append the physical drive label and serial number to the event message. The registry is not going to be of much help, as the registry entries that contain hardware specific data are mapped directly to memory, they are not serialized to the disk (HKLM\HARDWARE, HKEY_LOCAL_MACHINE\HARDWARE). My next suggestion would be to look at the installed programs and see if they are running any products that use the Hard drive serial number to provide some manner of copy protection. Good Luck! -- Matthew M. Shannon, CIFI, CISSP Principal Agile Risk Management LLC www.agilerm.net msh...@ag... (c)813.732.5076 (o)1.877.AGILE13 (244.5313) |
