A couple of very brief tip, useful during a forensic acquisition.
During the initial phase of a digital forensic investigation, a lot of information about target systems need to be collected.
One of this item are the information about the phisical disks on the system.
Personally, I prefer to collect along the MD5 hash, also model and serial number of the disks, in order to fill the “chain of custody” form.
How to obtaint this data from systems in a fast manner? Simple, with the command line!
Using WMIC, you can retrieve hard drive properties.
The command wmic diskdrive get Name,Model,SerialNumber,Size,Status returns names, model types, serial numbers, the overall size in bytes, and the status for all connected hard drives.
wmic diskdrive get Name,Model,SerialNumber,Size,Status Model Name SerialNumber Size Status TOSHIBA MQ01ACXXXX \.\PHYSICALDRIVE0 36NJCXXXX 50010524XXXX OK
The command lsblk –nodeps -o name,model,serial returns name, model and serial of all connected hard drives:
# lsblk --nodeps -o name,model,serial NAME MODEL SERIAL sda HGST_HTS725050A7XXXX RCF50ACE1LXXXX sdb HGST_HTS725050A7XXXX RCF50ACE1LXXXX sdc Logical_Volume 600508eXXXX00000XXXX48ffd593XXXX
- lsblk(8) – Linux man page
- wmic – Windows applications | Microsoft Docs
- Digital Forensic: the Chain of Custody | So Long, and Thanks for All the Fish