Thursday, May 07, 2009


I've run across a couple of questions lately that have all pointed to one of the biggest issues I see in the IR/CF community...a lack of specificity of language. In particular, many of us use different terms to describe the same thing, or just incorrect terms. In an attempt to address this, I want to provide a couple of definitions and links to further information.

Disk signature
This is a value specific on a hard drive, found within the MBR. The disk signature can be found in the first sector at offset 0x1B8, and is 4 bytes in length. When you acquire a system, you can check this value with a hex editor (as well as via the hex view of the tool you're using, be it X-Ways, ProDiscover, etc.).

This value is also stored in the MountedDevices key in the System Registry hive file, as well. If you open up RegEdit on a live system and navigate to that key, you'll see several value entries for both volumes (\??\Volume{GUID}) and drive letters (\DosDevices\) that have binary data that is 12 bytes in length. The first 4 bytes is the disk signature, and that's followed by the offset to the partition. Again, this is specific to MountedDevices key Registry values whose names begin "\??\Volume{GUID}" or "\DosDevices\", and whose binary data is 12 bytes in length.

Side Note: You may find other entries...for example, a value name that looks like "#{GUID}" may refer to a TrueCrypt volume that was mounted to the system.

You can also use this value to determine the length of the volume, as well. This is useful in determining not only the size of the installed hard drive(s), but also the size of volumes for attached USB external hard drives. This does not apply to thumb drives.

Volume serial number
The volume serial number is written to the volume by Windows each time it is formatted. This value is calculated using the current date and time, and can be easily viewed by opening a command prompt to the volume (ie, C:\, D:\, etc.) and typing the vol command.

Device serial number
This is a unique value that, if available, can be pulled from the device descriptor of a USB removable storage device. You can view this value in the Registry...if you see the value with "&" as the second character, this is a value generated by Windows when a USB removable storage device does NOT have a serial number in its device descriptor. In Windows Forensic Analysis, I mention a tool called UVCView from Microsoft, but I have not been able to locate this tool for quick download via MS. However, it does appear to be part of the driver toolkit.

Okay, this is only a couple of terms, but too often, we see them mixed and matched and used interchangeably, when all that really does is confuse the issue. I don't want to get into a debate or discussion over certifications and governing bodies here...I just want to see if we can't get on the same sheet of music.


1 comment:

Jimmy_Weg said...

As another small side note, a disk signature is not necessarily semi-unique. I've seen several cases in which identical make/model drives had the same signature.

Perhaps the term "signature" also needs some clarification. It, too, isn't used always in the same context. I think that some may consider it analogous to a hash value, aside form its more common usage as a "file signature" (unique to a file type).