Stolen Laptop - Loo...
 
Notifications
Clear all

Stolen Laptop - Looking for its serial no on a full backup  

Page 1 / 2
wagadougou
(@wagadougou)
New Member

We are looking for the serial number of a stolen laptop.
We don't have the laptop… but we have a full backup.
Is there a way to retrieve the serial number from this backup ?
We tried lots of things, but until now… no luck -/
- mounting the backup as a vm (failed)
- windows registry ripper
- regripper
- restored the backup on another computer

Banging head on the wall…
Any idea ?

Quote
Topic starter Posted : 17/04/2014 4:08 am
Adam10541
(@adam10541)
Senior Member

Unless someone manually entered the serial number in to some documents on the hard drive I don't think that kind of information will be available anywhere except on the laptop itself.

Of course I can't say that definitively but I've never come across that type of info stored anywhere on a hard drive before….maybe the BIOS, but again without the laptop not much chance there.

Even if you should find documentation stating a serial number it's worthless without the laptop itself to confirm.

Why do you need the serial number?

ReplyQuote
Posted : 17/04/2014 6:50 am
a.nham
(@a-nham)
Junior Member

First you really need to tell me which serial number you want, the physical laptop's serial number (as in the one the manufacturer gave it) or the hard drive's serial number (the one generally in the mft table). I have a feeling its the first one since you mentioned stolen, so I'll just cover that, unless you reply otherwise.

If you mean laptop serial number, people generally register their computer after they buy it, so their serial number may still be on their email from registration if they may not have deleted it yet. If they did register it, but it is not on email you can generally get it by having them log into their machine vendor's site. You can also sometimes have you client call the customer support of the manufacturer of it back for the serial number, especially if it is still under warranty and was ordered online (generally, they may ask for the owner's name and email, if not also their password or other credentials).

If all else fails call the customer support anyways and ask them if there is a way for you to find it from the back. Tell them something like your hard drive broke and the sticker got peeled off by your kid months ago. In general, vendor's preinstalled softwares (like Dell Datasafe/Support or Lenovo ThinkVantage) tends to have have your machine's serial number on it software which should be backed up. It is really a matter if it is actually retrievable from the backup, if your tech support person knows how to do it, and if they are willing to share it with you(something that they are probably not willing to tell you, but sometimes worth trying anyways if you have nothing). Generally speaking, you won't be able to find it on your own from back up parsing.

ReplyQuote
Posted : 17/04/2014 7:18 am
wagadougou
(@wagadougou)
New Member

Unless someone manually entered the serial number in to some documents on the hard drive I don't think that kind of information will be available anywhere except on the laptop itself.

Of course I can't say that definitively but I've never come across that type of info stored anywhere on a hard drive before….maybe the BIOS, but again without the laptop not much chance there.

Even if you should find documentation stating a serial number it's worthless without the laptop itself to confirm.

Why do you need the serial number?

Thanks ! It helps a lot to get answers - I fell less alone )
We need the physical serial number for the authorities - if the find the laptop back, they need a proof that it is ours.
Until now no bios trace in the registry… But I'll keep on looking and will keep you posted.

ReplyQuote
Topic starter Posted : 17/04/2014 11:12 am
wagadougou
(@wagadougou)
New Member

First you really need to tell me which serial number you want, the physical laptop's serial number (as in the one the manufacturer gave it) or the hard drive's serial number (the one generally in the mft table). I have a feeling its the first one since you mentioned stolen, so I'll just cover that, unless you reply otherwise.

If you mean laptop serial number, people generally register their computer after they buy it, so their serial number may still be on their email from registration if they may not have deleted it yet. If they did register it, but it is not on email you can generally get it by having them log into their machine vendor's site. You can also sometimes have you client call the customer support of the manufacturer of it back for the serial number, especially if it is still under warranty and was ordered online (generally, they may ask for the owner's name and email, if not also their password or other credentials).

If all else fails call the customer support anyways and ask them if there is a way for you to find it from the back. Tell them something like your hard drive broke and the sticker got peeled off by your kid months ago. In general, vendor's preinstalled softwares (like Dell Datasafe/Support or Lenovo ThinkVantage) tends to have have your machine's serial number on it software which should be backed up. It is really a matter if it is actually retrievable from the backup, if your tech support person knows how to do it, and if they are willing to share it with you(something that they are probably not willing to tell you, but sometimes worth trying anyways if you have nothing). Generally speaking, you won't be able to find it on your own from back up parsing.

Your are 100% right, it is the physical laptop serial number we are looking for.
Thanks a lot for your advice - unfortunately, no registration found, only one invoice but no serial number on the invoice… Funny that Microsoft OS's takes countless logs of anything and everything on the machine, but not that )
Stubborn me will keep on looking…

ReplyQuote
Topic starter Posted : 17/04/2014 11:17 am
jaclaz
(@jaclaz)
Community Legend

There may be other pieces of evidence (of course not as "safe" as the laptop serial).
Once (if) the laptop is found even if the disk volumes have been formatted the Disk Signature would normally remain the same.

A number of Commercial programs may have recorded either the actual harddisk serial number or the NIC MAC as part of their authentication/registration.

Windows 7 should store the NIC MAC address under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\
see
http//snaked-bytes.blogspot.it/2011/12/how-to-change-your-mac-address-in.html

jaclaz

ReplyQuote
Posted : 17/04/2014 2:33 pm
Rich2005
(@rich2005)
Senior Member

You might get lucky and look for manufacturer registration processes (filtering the filters/folders by date for early activity). Some brands try to make you go through some online activation / warranty registration and record the serial number in there if I remember rightly. Probably more valid for a home computer though than if it's a business computer with a rolled out image.

ReplyQuote
Posted : 17/04/2014 4:22 pm
athulin
(@athulin)
Community Legend

We are looking for the serial number of a stolen laptop.
We don't have the laptop… but we have a full backup.
Is there a way to retrieve the serial number from this backup ?

Is it a generic Windows installation, or a OEM installation? The former is likely to be entirely platform agnostic, the latter may keep information around – probably in any platform-specific utilities installed with the OS. (I have a feeling some Lenovo Thinkpads do, but I've never checked it out.) Best idea is probably to identify another laptop of the same brand and release, and look for its serial number. Don't check just storage areas – start applications (i.e. OEM-specific) and see if any of those report the information. If they do, research where it comes from, and how it is stored.

ReplyQuote
Posted : 17/04/2014 5:31 pm
wagadougou
(@wagadougou)
New Member

There may be other pieces of evidence (of course not as "safe" as the laptop serial).
Once (if) the laptop is found even if the disk volumes have been formatted the Disk Signature would normally remain the same.

A number of Commercial programs may have recorded either the actual harddisk serial number or the NIC MAC as part of their authentication/registration.

Windows 7 should store the NIC MAC address under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\
see
http//snaked-bytes.blogspot.it/2011/12/how-to-change-your-mac-address-in.html

jaclaz

Thanks for your answer.
Mac address is a good idea. RegRipper gave it withoutany trouble.

The thing is, if the cops find the computer where we think it is, they will only look at the backside of the laptop to see if the serial number matches what we gave them.

But the Mac address is better than nothing )
Thanks again.

ReplyQuote
Topic starter Posted : 17/04/2014 6:46 pm
wagadougou
(@wagadougou)
New Member

You might get lucky and look for manufacturer registration processes (filtering the filters/folders by date for early activity). Some brands try to make you go through some online activation / warranty registration and record the serial number in there if I remember rightly. Probably more valid for a home computer though than if it's a business computer with a rolled out image.

Good idea.
It's an asustek laptop.
I'll check.

Thanks )

ReplyQuote
Topic starter Posted : 17/04/2014 6:48 pm
wagadougou
(@wagadougou)
New Member

We are looking for the serial number of a stolen laptop.
We don't have the laptop… but we have a full backup.
Is there a way to retrieve the serial number from this backup ?

Is it a generic Windows installation, or a OEM installation? The former is likely to be entirely platform agnostic, the latter may keep information around – probably in any platform-specific utilities installed with the OS. (I have a feeling some Lenovo Thinkpads do, but I've never checked it out.) Best idea is probably to identify another laptop of the same brand and release, and look for its serial number. Don't check just storage areas – start applications (i.e. OEM-specific) and see if any of those report the information. If they do, research where it comes from, and how it is stored.

It's OEM from Asustek.
I'll check your idea )
Thanks !

PS Still, I wonder why Microsoft keeps the Serial Number so secret…

ReplyQuote
Topic starter Posted : 17/04/2014 6:50 pm
Chris55728
(@chris55728)
Junior Member

Thanks for your answer.
Mac address is a good idea. RegRipper gave it withoutany trouble.

The thing is, if the cops find the computer where we think it is, they will only look at the backside of the laptop to see if the serial number matches what we gave them.

But the Mac address is better than nothing )
Thanks again.

You may get lucky and find that the MAC address is also on a sticker on the underside of the laptop.

Failing that and assuming that the MAC address you have is the one for the wireless card, there may be a compartment on the underside of the laptop that stores the wireless card. If the police unscrew that compartment the wireless card may have a sticker with the MAC address on it.

ReplyQuote
Posted : 17/04/2014 8:43 pm
PaulSanderson
(@paulsanderson)
Senior Member

PS Still, I wonder why Microsoft keeps the Serial Number so secret…

I guess its because the serial number of the machine would need to be exposed by the hardware in standardised place so that the operating system can record it. Also why would M$ be interested in the serial number of the machine itself?

Having said that I have never looked for a serial number of a machine - providing it isn't encrypted it should be easy enough to take an image of a machine for which you have the s/n and search for it to see if it occurs anywhere.

The MAC address may be your best bet - this is stored in lots of places, but there is good reason for that )

ReplyQuote
Posted : 17/04/2014 9:07 pm
wagadougou
(@wagadougou)
New Member

PS Still, I wonder why Microsoft keeps the Serial Number so secret…

I guess its because the serial number of the machine would need to be exposed by the hardware in standardised place so that the operating system can record it. Also why would M$ be interested in the serial number of the machine itself?

Having said that I have never looked for a serial number of a machine - providing it isn't encrypted it should be easy enough to take an image of a machine for which you have the s/n and search for it to see if it occurs anywhere.

The MAC address may be your best bet - this is stored in lots of places, but there is good reason for that )

Well, they could log it for licence tracking. And to help us, poor forensics slaves )
Since it is easy to use the wmic bios get serialnumber command to get the serial number, I thought they would log it somewhere…

Great idea to image a known computer and search for known serial number into it.
I'll give it a try and keep you posted.
Thanks.

ReplyQuote
Topic starter Posted : 17/04/2014 10:07 pm
a.nham
(@a-nham)
Junior Member

I actually did an Asus product registration about a year ago, it was on a motherboard, not a laptop, but i think the registration is probably the same for all computer products. The Asus registration program is called "Asus Product Register Program;" in my particular system the program was found in C/Program Files (x86)\ASUS\APRP. APRP being an acronym for the full program name. I personally did not find anything about my motherboard's serial number in mine, but you may have better luck for laptop. I have a faint memory of not having to type my serial number when registering my motherboard (aka they probably had some way of getting it from the hardware and you just needed your name and email), but it could just be me imagining this too. Lastly, the registration file of ASUS turned out to just be an exe to an internet shortcut, you might have to take out your internet forensics tool out and hope that history and cache has not been freed yet.

As for to your question why Microsoft keeps the serial number such a secret, I'm still wondering why they keep the NTFS file structure such a secret from us. D

ReplyQuote
Posted : 17/04/2014 10:23 pm
Page 1 / 2
Share: