On Mon, 2005-03-21 at 13:58, Lisa Muir wrote:
> Hello group,
>
> I've recently been assigned a case where I will have the opportunity
> to examine a drive while supervised by the other side.
>
> We're basically validating/refuting evidence that has already been presented.
>
> One thing that has been requested of me, is to verify the serial
> number of the drive in question - however, I'll only have access to
> the actual dd image, which is supposed to be a dd image of the entire
> device.
>
> *if* the serial number was in there, where would I look? or how can I
> determine this?
Depends on the operating system...
Linux, I'd check the /var/log/messages file for the kernel boot
messages.
Windows..
Well, you might be stuck here, you can always check the event log files
for failed drive events, these typically append the physical drive label
and serial number to the event message.
The registry is not going to be of much help, as the registry entries
that contain hardware specific data are mapped directly to memory, they
are not serialized to the disk (HKLM\HARDWARE,
HKEY_LOCAL_MACHINE\HARDWARE).
My next suggestion would be to look at the installed programs and see if
they are running any products that use the Hard drive serial number to
provide some manner of copy protection.
Good Luck!
--
Matthew M. Shannon, CIFI, CISSP
Principal
Agile Risk Management LLC
www.agilerm.net
msh...@ag...
(c)813.732.5076
(o)1.877.AGILE13 (244.5313)
|
