I'm playing around with a virtual machine and looking for the volume serial number (vsn). I'm looking in $boot, at 0x48 and I see 00 00 0C 00 00 00 00 00. From what I see online, 0x48 should be the vsn. Is that, right? How to do I convert it to look more like it would if you used the 'vol' command in cmd? Or am I doing something wrong.
Thanks in advance.
How to do I convert it to look more like it would if you used the 'vol' command in cmd? Or am I doing something wrong.
Hmmm.
Viewing with what exactly?
First Sector of $boot is the bootsector (and contains the BPB).
The volume serial is at 0x48, i.e. 72 decimal.
Maybe you are looking at 0x30, i.e. 48 decimal and 0x00000000000C0000 is decimal 786432 (the LCN of the $MFT).
Or is it a coincidence? 😯
It is rare, though possible in theory that a volume has 0x00000000000C0000 as Serial number.
Just as an example a volume I have handy has 0x00F89765F89757AC as Serial.
Try running DIR on the volume.
Try changing the Serial, with *any* tool, like (examples)
http//
http//
You will see how the 0x00000000000C0000 won't change ?
jaclaz
You were right, I was looking at 0x30 rather than 0x40 oops
Also, it seems to be the first 4 bytes - backwards. So for example, when I type in cmd and 'vol', It tells me
Volume in drive C has no label.
Volume Serial Number is A895-765A
When I look at the $boot file, 0x48 in hex, it says 5A 76 95 A8
So those 4 bytes are the volume serial number, but backwards.
Thanks Jaclaz, it all makes more sense now D
You need to make sure you are looking at offset 0x48 hex
edit - bloody hell, I know I got distracted while making that post/uploading image, but I didn't realise an hour had gone by.
The number is not backwards, it is just stored Little Endian - as are most PC/Intel numbers
Thanks, that makes even more sense. Well I feel like I've learned a bunch this morning lol
Not yet. wink
Please understand how the actual NTFS volume serial is 8 bytes long.
Vol, or Dir will ONLY show 4.
http//
http//
http//www.forensicfocus.com/Forums/viewtopic/t=2134/
As a side note, consider how hex numbers, hex numbers as seen in a hex editor or "bytes sequence" should always be described accurately
http//
jaclaz
+1 jaclaz
FYI this is also mentioned on MSDN http//