Forums
Main Category
General (Technical,...
Volume Serial Numbe...
 
Notifications
Clear all

Volume Serial Number NTFS

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by joachimm 10 years ago
8 Posts
5 Users
0 Likes
5,686 Views
RSS
 si2013
(@si2013)
Posts: 36
Eminent Member
Topic starter
 

I'm playing around with a virtual machine and looking for the volume serial number (vsn). I'm looking in $boot, at 0x48 and I see 00 00 0C 00 00 00 00 00. From what I see online, 0x48 should be the vsn. Is that, right? How to do I convert it to look more like it would if you used the 'vol' command in cmd? Or am I doing something wrong.

Thanks in advance.

 
Posted : 29/11/2013 4:59 pm
jaclaz
 jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

How to do I convert it to look more like it would if you used the 'vol' command in cmd? Or am I doing something wrong.

Hmmm.
Viewing with what exactly?

First Sector of $boot is the bootsector (and contains the BPB).
The volume serial is at 0x48, i.e. 72 decimal.

Maybe you are looking at 0x30, i.e. 48 decimal and 0x00000000000C0000 is decimal 786432 (the LCN of the $MFT).

Or is it a coincidence? 😯
It is rare, though possible in theory that a volume has 0x00000000000C0000 as Serial number.
Just as an example a volume I have handy has 0x00F89765F89757AC as Serial.

Try running DIR on the volume.

Try changing the Serial, with *any* tool, like (examples)
http//www.codeproject.com/Articles/5825/Changing-volume-s-serial-number
http//technet.microsoft.com/en-us/sysinternals/bb897436.aspx
You will see how the 0x00000000000C0000 won't change ?

jaclaz

 
Posted : 29/11/2013 5:14 pm
 si2013
(@si2013)
Posts: 36
Eminent Member
Topic starter
 

You were right, I was looking at 0x30 rather than 0x40 oops

Also, it seems to be the first 4 bytes - backwards. So for example, when I type in cmd and 'vol', It tells me

Volume in drive C has no label.
Volume Serial Number is A895-765A

When I look at the $boot file, 0x48 in hex, it says 5A 76 95 A8

So those 4 bytes are the volume serial number, but backwards.

Thanks Jaclaz, it all makes more sense now D

 
Posted : 29/11/2013 5:37 pm
PaulSanderson
 PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

You need to make sure you are looking at offset 0x48 hex

edit - bloody hell, I know I got distracted while making that post/uploading image, but I didn't realise an hour had gone by.

 
Posted : 29/11/2013 6:15 pm
 mscotgrove
(@mscotgrove)
Posts: 938
Prominent Member
 

The number is not backwards, it is just stored Little Endian - as are most PC/Intel numbers

 
Posted : 29/11/2013 6:23 pm
 si2013
(@si2013)
Posts: 36
Eminent Member
Topic starter
 

Thanks, that makes even more sense. Well I feel like I've learned a bunch this morning lol

 
Posted : 29/11/2013 6:32 pm
jaclaz
 jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Not yet. wink
Please understand how the actual NTFS volume serial is 8 bytes long.
Vol, or Dir will ONLY show 4.
http//thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm
http//thestarman.pcministry.com/asm/mbr/NTFSBR.htm
http//www.forensicfocus.com/Forums/viewtopic/t=2134/

As a side note, consider how hex numbers, hex numbers as seen in a hex editor or "bytes sequence" should always be described accurately
http//thestarman.pcministry.com/asm/mbr/AA55H.html

jaclaz

 
Posted : 29/11/2013 7:23 pm
 joachimm
(@joachimm)
Posts: 181
Estimable Member
 

+1 jaclaz
FYI this is also mentioned on MSDN http//technet.microsoft.com/en-us/library/cc781134%28WS.10%29.aspx

 
Posted : 01/12/2013 3:44 am
Forum Jump:
  Previous Topic
Next Topic  
Share: