As far as I understand Windows driver (ftdisk) creates object "HardDiskVolume" for each volume it finds on the system and creates registry record for it:
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\
\??\Volume{GUID} = BINARY_DATA
From that moment volume is mounted as \??\Volume{GUID}
BINARY_DATA
is used to map this drive to \DosDevices\<DISK_NAME>
in the same registry hive so disk has letter.
BINARY_DATA has to be unique for the volume and should not be changed even if I put this disk into another PC, right?
My qunestion is:
I've read lpVolumeSerialNumber
using GetVolumeInformation
. It is just long integer and does not look like this BINARY_DATA
.
I believe BINARY_DATA
is function from lpVolumeSerialNumber
(which is generated by OS when volume formatted) and something else:
BINARY_DATA= F(VolumeSerialNumber, SOMETHING).
What is SOMETHING?
I read MSDN and Russinovich/Solomon book already and still can't get it..
Oh, I found.
It says "The data that the registry stores in values for basic disk volume drive letters and volume names is the Windows NT 4–style disk signature and the starting offset of the first partition associated with the volume".
but what is "Windows NT 4–style disk signature"?
From here: http://www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/resguide/diskover.mspx?mfr=true
That is "Four-byte disk signature that is in the first sector of each hard disk"
So I uses HxD tool and found this four bytes from my BINARY_DATA I found it in row 1B0 and columns 08 to 0B.
Looks like there is one more person on the internet who knows about it: http://www.pcreview.co.uk/forums/image-copy-drive-wont-boot-properly-t3761034.html ))
So if I change MBR on the disk it would loose its letter:)
So how do you find out which drive has a specific volume GUID? There are two ways. 1) Open a command line and use the following command "mountvol" (exclude quotes). This displays all drives on the system, start with the volume GUID, then one or more mount points for that drive.
This is going back a few years as I worked at a company that would read and write to the first 62 sectors of hard disks. We had to be careful not to overwrite all 62 sectors or we would have problems with Windows activation. Typically goodies are stored there however it's not much of a secret.
For sure on FAT - 62 sectors before the MBR are 'unused' and usable by any program. I have copied text from a forensic page linked below and you'll see that its likely the unique identifiers are stored on the first 62 sectors. Forensic analysts can use the data in the registry to determine that you removed a hard disk and can then go look for it. I presume the identifier was written there by Windows on format. The binary data is the time stamp and is created on format and with all this its really strong evidence you should find that binary data hopefully not encoded on the first 62 partitions somewhere.
Actually correct I did find it! This WinHex is the bomb! you want to read from 0 to (62*512) on one of the PHYSICAL drives (not logical). I dont think you will have any problems changing this other than possibly activation howeber thats an old issue and I believe they stopped since people now update their SSD's often as they melt down.
FROM http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry
A Forensic Analysis Of The Windows Registry
Derrick J. Farmer Champlain College Burlington, Vermont [email protected]
Mounted Devices
There is a key in the Registry that makes it possible to view each drive associated with the system. The key is HKLM\SYSTEM\MountedDevices and it stores a database of mounted volumes that is used by the NTFS file system. The binary data for each \DosDevices\x: value contains information for identifying each volume. This is demonstrated in Figure 7, where \DosDevice\F: is a mounted volume and listed as 'STORAGE Removable Media'.
Figure 7 Identification of volume \DosDevice\F:
This information can be useful to a digital forensics examiner as it shows the hardware devices that should be connected to the system. Therefore, if a device is shown in the list of MountedDevices and that device isn't physically in the system, it may indicate that the user removed the drive in attempt to conceal the evidence. In this case, the examiner would know they have additional evidence that needs to be seized.
SECTORS 1-62 QUOTED FROM
http://www.beginningtoseethelight.org/fat16/index.htm sectors 1 - 62 (> =31,744 bytes )sectors 1 - 62 inclusively are normally left empty. applications that do use it include: multi boot loaders like ranish advanced boot manager. security programs such as reflex-magnetics disknet. viruses that copy themselves to the master boot record so that they can load every time, sometimes move the real mbr into this area, plus any more virus code. full disk encryption programs and disk translation software for very large hard disks may also reside here.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With