How to retrieve hard disk information and properties with WMIC and lsblk

A couple of very brief tip, useful during a forensic acquisition.

During the initial phase of a digital forensic investigation, a lot of information about target systems need to be collected.

One of this item are the information about the phisical disks on the system.

Personally, I prefer to collect along the MD5 hash, also model and serial number of the disks, in order to fill the “chain of custody” form.

How to obtaint this data from systems in a fast manner? Simple, with the command line!

On Windows

Using WMIC, you can retrieve hard drive properties.

The command wmic diskdrive get Name,Model,SerialNumber,Size,Status returns names, model types, serial numbers, the overall size in bytes, and the status for all connected hard drives.

wmic diskdrive get Name,Model,SerialNumber,Size,Status
 Model               Name                SerialNumber  Size          Status
 TOSHIBA MQ01AC**XXXX**  \.\PHYSICALDRIVE0  36NJC**XXXX**     50010524**XXXX**  OK

On Linux

The command lsblk –nodeps -o name,model,serial returns name, model and serial of all connected hard drives:

# lsblk --nodeps -o name,model,serial

NAME    MODEL                      SERIAL
 sda     HGST_HTS725050A7**XXXX**       RCF50ACE1L**XXXX**
 sdb     HGST_HTS725050A7**XXXX**       RCF50ACE1L**XXXX**
 sdc     Logical_Volume             600508eXXXX00000XXXX48ffd593**XXXX**

References

lsblk(8) - Linux man page
wmic - Windows applications Microsoft Docs
Digital Forensic: the Chain of Custody So Long, and Thanks for All the Fish

On Windows

On Linux

References

Related posts