Ubuntu - What HDD's have been used?

General Discussion

Last Post by Colin2030 9 years ago

3 Posts

2 Users

0 Likes

210 Views

RSS

Colin2030

(@colin2030)

Posts: 11

Active Member

Topic starter

Hi all, my scenario is this

I'm examining a tower with Ubuntu installed on one HDD and Ext4 FS. On this drive there are virtual machine config files that point to VDI files on a separate HDD….. that doesn’t exist in the computer.

I have good info to suggest that my suspect has been using a virtual machine to commit the offences under investigation and these VDI files relate to the VM used.

A bag of HDD's has been seized separately from the suspect's home and one of these has been smashed up to the extent that I can't image it. I suspect the smashed up one contains what I'm after, however, I need to be sure before I send it off for data recovery.

The question is - Are there any artefacts in Ubuntu that can tell me the serial number of physical HDD's connected to it? So I can linked this smashed up drive to the suspects computer??

Many thanks in advance

Colin

Posted : 23/04/2014 2:17 pm

Rampage

(@rampage)

Posts: 354

Reputable Member

if i recall correctly when you attach a drive to the system there is an entry in the log.

if the device is connected directly to the SATA/SCSI bus then the serial number of the device should also be recorded.

something like this

Apr 23 090420 hostname kernel [ 0.743132] ata1 SATA link up 3.0 Gbps (SStatus 123 SControl 300)
Apr 23 090420 hostname kernel [ 0.866096] ata1.00 ATA-8 WDC WD1600BEVT-22ZCT0, 11.01A11, max UDMA/133
Apr 23 090420 hostname kernel [ 0.866100] ata1.00 312581808 sectors, multi 16 LBA48 NCQ (depth 31/32), AA
Apr 23 090420 hostname kernel [ 0.868449] ata1.00 configured for UDMA/133
Apr 23 090420 hostname kernel [ 0.868581] scsi 0000 Direct-Access ATA WDC WD1600BEVT-2 11.0 PQ 0 ANSI 5
Apr 23 090420 hostname kernel [ 0.868761] sd 0000 [sda] 312581808 512-byte logical blocks (160 GB/149 GiB)
Apr 23 090420 hostname kernel [ 0.868808] sd 0000 [sda] Write Protect is off
Apr 23 090420 hostname kernel [ 0.868811] sd 0000 [sda] Mode Sense 00 3a 00 00
Apr 23 090420 hostname kernel [ 0.868832] sd 0000 [sda] Write cache enabled, read cache enabled, doesn't support DPO or FUA
Apr 23 090420 hostname kernel [ 0.869054] sd 0000 Attached scsi generic sg0 type 0
Apr 23 090420 hostname kernel [ 0.900266] sda sda1 sda2 < sda5 >
Apr 23 090420 hostname kernel [ 0.900616] sd 0000 [sda] Attached SCSI disk

Posted : 23/04/2014 2:25 pm

Colin2030

(@colin2030)

Posts: 11

Active Member

Topic starter

That's an excellent reply, thank you!

in /var/log within the syslog file I found the make, model, serial number and firmware version of all the drives connected to the SATA bus.

Perfect!

Posted : 23/04/2014 3:02 pm

12 Forums
15.3 K Topics
91.8 K Posts
3 Online
39.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed