Does anyone have a use for a utility intended for use when documenting disk information?
When I have a hard drive that I'm imaging, I have an acquisition worksheet that I fill out, and usually a chain-of-custody form, as well. The acquisition worksheet contains information about the acquisition…what software used, write-blocker, etc. There's also information about the evidence drive itself, some of which I get right off the label.
Sometimes, I might need more info than what's on the label. Also, in some cases, I may want to run AV software against the drive while it's still hooked up to the write-blocker. So I had the thought of writing a utility that would give me information about the drive that I could use to document it. I've located three WMI classes (Win32_DiskDrive, Win32_DiskPartition, and Win32_LogicalDisk) that provide some very good info…some of which can be confirmed or mapped to the contents of the Registry located in the image.
The cool thing is that a tool like this can be run against a drive on a write-blocker, or can be run on a live system during IR activities, or against a remote system.
Is something like this of use to anyone? I mean, I find it useful, but I'm not sure if others will…
Thanks,
H
You require the program for analysis SMART HDD.
What?
Harlan,
This would definitely be useful, especially if you could tie HPA and DCO detection in to it. I wonder…would those be invisible to WMI since they are "invisible" to windows?
What information is on your form?
I collect Make, Model, Type, S/N, LBA, CHS. and include a photograph of the disk.
I use 5 commands in linux to gather disk information and output it to a directory containing case information
hdparm -giI /dev/suspect_disk
dmesg
disk_stat /dev/suspect_disk
fdisk -lu /dev/suspect_disk
mmls /dev/suspect_disk
smartctl may be used in the future using smartctl –all /dev/suspect_disk to ascertain disk health when in my possesion.
> would those be invisible to WMI
yeah, they would.
Right now, the format looks like this
DeviceID \\.\PHYSICALDRIVE0
Model ST910021AS
Interface IDE
Media Fixed hard disk media
Signature 0x41ab2316
Partition Info
Disk #0, Partition #0
Installable File System
Disk #0, Partition #1
Extended w/Extended Int 13
DeviceID \\.\PHYSICALDRIVE1
Model WDC WD12 00UE-00KVT0 USB Device
Interface USB
Media Fixed hard disk media
Signature 0x96244465
Partition Info
Disk #1, Partition #0
Installable File System
This is from a run on my local system, with a USB-connected WD external HDD. The signatures listed are what appears in the MountedDevices Registry key, so this can be used to tie the drive to the image. This output is based on correlating the Win32_DiskDrive and Win32_DiskPartition classes. I really don't have anyway to tie in the Win32_LogicalDisk info to a specific drive, but that can be printed separately.
I haven't included some of the available size info, as the MS documentation has caveats that the values for some of them may not be correct.
Anyway, I guess it's something of very limited use.
I don't think you can get much more through WMI but if you look into using deviceiocontrol or the disk management controls you'll probably get more info.
http//
Thanks, but I wasn't asking if there was anything else anyone wanted…I just wanted to see if anyone else found something like this useful.
Sorry for wasting your time.
hey Harlan
You are'nt wasting anyone's time, but some of us do live the other side of the world D
I think this is a very useful tool and I would definitely use it. IMHO the more data that can be extracted in this fashion, and therefore less susceptible to error or indeed erroneous interpretation the better.
I see too many basic errors made in the identification phase and this would take some of the human error out of it.
cheers
Harlan,
I don't know why you think you are wasting anyone's time. I'm curious about the signature you found. How does that signature get determined? That information could be very useful to corroborate the fact that a disk was once installed in a system if there are remnants in the registry. I would think you could match signatures proving that the disk had once been in a system.
> I'm curious about the signature you found. How does that signature get determined?
It's what's written by the OS to offset 0x1b8 in the MFT, and appears in the MountedDevices values.
> I would think you could match signatures proving that the disk had once been in a system.
Exactly.