A couple of very brief tip, useful during a forensic acquisition.



During the initial phase of a digital forensic investigation, a lot of information about target systems need to be collected.

One of this item are the information about the phisical disks on the system.

Personally, I prefer to collect along the MD5 hash, also model and serial number of the disks, in order to fill the "chain of custody" form.

How to obtaint this data from systems in a fast manner? Simple, with the command line!

On Windows

Using WMIC, you can retrieve hard drive properties.

The command wmic diskdrive get Name,Model,SerialNumber,Size,Status returns names, model types, serial numbers, the overall size in bytes, and the status for all connected hard drives.

wmic diskdrive get Name,Model,SerialNumber,Size,Status
 Model               Name                SerialNumber  Size          Status
 TOSHIBA MQ01ACXXXX  \.\PHYSICALDRIVE0  36NJCXXXX     50010524XXXX  OK

On Linux

The command lsblk --nodeps -o name,model,serial returns name, model and serial of all connected hard drives:

# lsblk --nodeps -o name,model,serial

NAME    MODEL                      SERIAL
 sda     HGST_HTS725050A7XXXX       RCF50ACE1LXXXX
 sdb     HGST_HTS725050A7XXXX       RCF50ACE1LXXXX
 sdc     Logical_Volume             600508eXXXX00000XXXX48ffd593XXXX


References