How To Find The Hard Drive Serial Number In Windows

Jun 6, 2017
Comment

When it comes to building a PC, you can debate which components are more important. You will obviously spend more money on whatever resource makes for a better PC. That said, on any PC or laptop, the only important irreplaceable hardware component is the hard drive. Data is stored on your drive.

If your drive is nearing the end of its life or you’re experiencing problems with it, it might be time to take a look at your warranty repair options. As with any warranty, you will likely need to identify your hardware first. HDDs and SSDs are identified via their serial number. If you don’t want to open your desktop or laptop to find the hard drive serial number from the command line.

Volume Serial Number

Open Command Prompt in Windows. In the Windows search bar, type CMD, and select the Command Prompt from the listed results. An HDD and an SDD have two types of serial numbers. The first is a ‘volume’ number. Your HDD/SDD is divided into additional drives. These are basically the volumes. Each volume has its own serial number that is assigned to it by the OS. It doesn’t have much to do with the actual hardware, but you can still find it via the command line.

Enter the following command;

You can replace ‘C’ with the letter of the drive you want to find the serial number for.

You will notice that while the C drive on my system has a serial number, it has no label. If your volume doesn’t have a label, it’s nothing to worry about. A label is an option field for drives. It’s just the name you would give your drive. People do not normally name the drives on their system. If you were to run the same command on a USB drive that you’ve named, you would likely get a label.

Hard Drive Serial Number

The hard drive serial number or the SSD serial number is different from the volume serial number. To find the hard drive serial number or the solid-state drive serial number, enter the following command in the Command Prompt.

This is the serial number you can give your device’s manufacturer if you’re looking to redeem your warranty or if you’re trying to repair/troubleshoot problems with it.

That’s all it takes. This works only for internal HDDs or SSDs and not for external storage. To find the serial number for external storage, connect it to your PC/laptop and go to the Device Manager. Find your storage device and go to its properties.

4 Comments

how to get the serial number of the hard disk based on the drive letter in command prompt.
I have 3 Hard Disk. I want create the batch file to get serial of special disk base on the drive letter or name.
for example:

wmic diskdrive get serialnumber e:

Unfortunately this does not work for NVMe SSDs

Note: If you get “Invalid XML content.” you may need kb2664203.

that was very helpful. Thank you

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Volume Serial Number

Related terms:

Download as PDF

About this page

Windows Shortcut Files (Link Files)

Larry E. Daniel , Lars E. Daniel , in Digital Forensics for Legal Professionals , 2012

32.3.4 Connecting a deleted file on a computer to a USB device using link file evidence

One of the properties of link files is the volume serial number . When a USB device is examined in forensic software like EnCase, the volume serial number of the device can be seen. If a link file for a deleted file is located on a computer hard drive and the volume serial number matches that of a USB device that is in evidence, a clear connection can be made between the USB device and the file that once existed on the hard drive, even if the file is no longer present on the USB device or the hard drive.

Operating System Data Hiding

Michael Raggo , Chet Hosmer , in Data Hiding , 2013

Alternate Data Streams Reviewed

Alternate Data Streams in Windows NTFS has been well known for years and dates back to Windows NT 3.1. It was originally designed for interoperability with Macintosh Hierarchical File System (HFS). NTFS uses Alternate Data Streams (ADS) to store metadata related to a file including security information, original author of file, and other metadata.

Alternate Data Streams (ADS) within Windows NT File System (NTFS) is a simple yet effective way to hide carrier files. To the casual investigator a simple directory listing would reveal nothing more than the expected files. Unless anything looked out of the ordinary, the ADS hidden files could remain undiscovered. The following example demonstrates the use of ADS to hide one or more files in the Alternate Data Streams on a Windows machine with NTFS. This provides a simple yet stealthy mechanism for hiding files.

To start, a simple text file is created “mike.txt.”

D:\mike>notepad mike.txt ( Figure 7.2 ):

Figure 7.2 . Creating “mike.txt” in Notepad

We can then of course run a directory listing to see the newly created file in our directory:

Volume in drive D has no label.

Volume Serial Number is FFFF-FFFF

Directory of D:\mike

11/07/2005 07:17 PM .

11/07/2005 07:17 PM ..

11/07/2005 07:17 PM 4 mike.txt

1 File(s) 4 bytes

2 Dir(s) 1,029,111,808 bytes free

Next, we can create our first Alternate Data Stream using the original text file (mike.txt) as demonstrated below and in Figure 7.3 :

Figure 7.3 . Creating an Alternate Data Stream

Normal browsing techniques act as if they’re immune to the Alternate Data Streams. Command line or Windows Explorer browsing reveals no new file. Nor has the file size or free space on the disk changed. Even though we’ve created an alternate data stream “mikehidden.txt” there’s no glaring evidence of it:

Volume in drive D has no label.

Volume Serial Number is FFFF-FFFF

Directory of D:\mike

11/07/2005 07:17 PM .

11/07/2005 07:17 PM ..

11/07/2005 07:18 PM 4 mike.txt

1 File(s) 4 bytes

2 Dir(s) 1,029,111,808 bytes free

We’re not limited to one Alternate Data Stream per file. Multiple ADSs can be attached to mike.txt (as shown in Figure 7.4 ):

Figure 7.4 . Hiding a Second ADS in mike.txt

Once again, we can run a directory listing and we see no evidence of either of the Alternate Data Streams:

Volume in drive D has no label.

Volume Serial Number is FFFF-FFFF

Directory of D:\mike

11/07/2005 07:17 PM .

11/07/2005 07:17 PM ..

11/07/2005 07:18 PM 4 mike.txt

1 File(s) 4 bytes

2 Dir(s) 1,029,111,808 bytes free

It also is important to note that most antivirus software packages by default do not scan Windows Alternate Data Streams for virus, trojans, and other malicious code. If you’re performing forensics investigations, ensure your vendor provides this very important feature its antivirus suite. If it is supported by your antivirus software you can enable this feature on an as-needed basis. The drawback is by leaving this feature on may seriously slow your normal antivirus scans by as much as 10x, which is why many antivirus vendors leave it disabled by default. In summary, Alternate Data Streams are commonly overlooked by investigators and therefore can be a nice hiding location for files.

Windows Forensic Analysis

Link Files

Link files ( .LNK extension) are simply shortcuts, which point to another file or folder. Users sometimes create these shortcuts intentionally for convenient access to particular items, but more often Windows creates link files automatically in an attempt to assist the user and speed up operations. Windows places link files in various locations, including a user’s Desktop, Start Menu, and Recent folders, as well as in application data areas and restore points.

The mere presence of a link file can be significant because it may indicate that the user opened a particular file or folder. For example, finding a link file in a user’s Desktop folder called my_lolitas.lnk, which points to a folder containing hundreds of pictures of minors in lewd or lascivious poses, would make it far more difficult for the user to claim he had no knowledge of the folder’s existence. By the same token, finding a link file in a user’s Recent folder called hot_credit_cards.xls.lnk, which points to the spreadsheet on a piece of removable media, would make the user’s arguments against his access of the spreadsheet much less plausible. Further, each link file, as an object on the file system, has its own set of date-time stamps, which can provide the examiner with data indicating when the link file was created or last used, based on the Last Written date-time stamp.

Information stored inside the link file can also be very valuable from a forensic perspective, because it provides details about the link’s target file. Link files can contain data showing the full path to the target file (even on removable media or network shares that are no longer connected), the volume label, and volume serial number of the volume upon which the target file resides as shown in Figure 5.30 . 9 The four-byte volume serial number can be located immediately preceding the byte sequence \x10\x00\x00\x00 prior to the start of the full path (or the volume label, if a label is present). The bytes of the volume serial number are little-endian, and must be read from right to left.

Figure 5.30 . Analysis of a link file showing the full path to the target file (highlighted), as well as the volume serial number ( \x34\xE1\x25\x17 ) and volume label super_cool for the volume on which the target resides.

The drive letter assigned to the volume upon which the target resides and the dates and times of the target file (as opposed to the dates and times of the link file itself) can also be found in the link file. The date-time stamps found within the link file that refer to the link’s target are standard Windows 64-bit dates and times (8-bytes in length) and can be found at the following offsets from the beginning of the link file:

Bytes 28–36: Created date-time stamp for the target file

Bytes 36–44: Last Accessed date-time stamp for the target file

Bytes 44–52: Last Written date-time stamp for the target file

Note that the sequence of these date-time stamps (created, accessed, written) is different from the more common sequence in NTFS and FAT file systems (created, written, accessed).

Tool Feature: Link File Analysis

Although this link file data can easily be interpreted manually, most forensic suites have the ability to assist the examiner in doing so. One tool that is very handy for link file analysis is MiTeC’s free Windows File Analyzer utility ( www.mitec.cz/wfa.html ). When pointed to a folder of shortcut files, which could be copied out of a disk image using a forensic tool, the Windows File Viewer parses the link files and provides the underlying data in a concise, printable report format ( Figure 5.31 ).

Figure 5.31 . Sample output from MiTeC’s Windows File Analyzer shortcut analysis.

It should be noted that the data within a link file only reflects the state of the target file when the link file was last updated (usually, when the target file was opened on the volume). For example, if a link file’s target was deleted from the volume on which it resides, the link file would then most likely contain outdated path, volume, and time/date information, provided the link file itself was not also deleted. However, this behavior can also be helpful to the investigator, as link files can be found to provide information about target files and folders to which the investigator can no longer find reference on the active file system.

Correlating Artifacts

Correlating Windows shortcuts to USB devices

Perhaps one of the least understood and most difficult aspects of analysis is correlating apparently disparate artifacts in order to “paint a picture” or “complete a story” for your examination. For example, identifying USB devices that had been connected to a system, and to which users they were available has been published and understood (for the most part) for some time, but this isn’t where analysis of these artifacts stops. When analyzing the device artifacts, we may need to know more about the usage of those devices, such as the drive letter to which the device was mapped. We may not be able to easily obtain this information simply from a cursory review of the MountedDevices key within the System Registry hive, as the drive letter may have been reused for multiple devices (it turns out that this is often the case; the drive letter “E:\,” for example, has been assigned to more than half a dozen different devices at different times on my own system). As such, in order to really understand the full breadth of USB device detection within an image acquired from a Windows system, it’s very important to understand the full breadth of artifacts, and how they can all be used together during an exam.

We know from analysis of USB devices on Windows 7 and 8 systems that there is a valuable key within the Software hive named EMDMgmt; the full path is Microsoft\Windows NT\CurrentVersion\EMDMgmt. According to information available from the Microsoft web site, this key is associated with ReadyBoost, a capability of more modern Microsoft systems (Vista and beyond) to examine USB devices for suitability for use as external random access memory. The subkeys beneath this key include information about various USB thumb drives, as well as drive enclosures, that had been connected to the system. Specifically, keys associated with USB thumb drives have names that start with _??_USBSTOR# , and drive enclosures have names that start with either an underscore or several letters. The names can be split into individual elements separated by underscores, and the last two elements of the name are the volume name, if available, and the volume serial number , in decimal format. For USB thumb drives, the subkey names contain the device ID, as well as the device serial number, just as we usually find beneath the Enum\USBStor, also within the System hive.

Signatures and Serial Numbers

There are important distinctions that must be made and understood between the various signatures and serial numbers that are available, specifically with respect to USB devices. A big issue faced by the digital forensics community at large is the lack of specificity of language, which leads to significant misunderstanding and confusion.

A USB device will have a device serial number, which is embedded within the firmware of the device itself, and is not accessible in the memory storage area of the device. It can, however, be modified through the use of the appropriate application programming interfaces (APIs) or firmware updates, usually available from the manufacturer. The point, however, is that this information—the device serial number found in Enum\USBStor subkeys within the System hive file—is read from the device firmware. The volume serial number is a value that is assigned to a volume (C:\, D:\, E:\, etc.) when the volume is formatted, and can easily be changed by reformatting the volume. Volume serial numbers can be found embedded in application Prefetch files, Windows shortcuts/LNK files, as well as within EMDMgmt subkey names. A disk signature is part of a physical disk, and is a 4-byte value found at offset 0×1b8 (440 in decimal format) within the master boot record of the disk. Disk signatures can be found in some value data beneath the MountedDevices key in the System hive.

When a user accesses a volume or a file on a USB device, a Windows shortcut (LNK file) is created in either the AppData\Roaming\Microsoft\Windows\Recent or..\Office\Recent folder within the user’s profile folder, depending upon the type of file that was accessed. The format of these files includes, in most cases, the volume name (if one is available) and volume serial number of the volume where the file was located. By correlating the volume serial numbers from the EMDMgmt Registry subkeys to those found in the LNK files, we’re able to not only determine the drive letters assigned to the USB device volumes, but we’re also able to get insight into the directory structure within that volume. As noted in Chapter 4 , Windows 7 and 8 systems also include *.automaticDestinations-ms Jump Lists (within the AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations folder in the user profile), which are compound documents that incorporate streams that follow the LNK file format, and therefore also contain volume name (if available), volume serial number, and drive type (in this case, we’re interested in removable drives) information, as well. An example of this information extracted from a Jump List LNK stream is illustrated in Figure 8.1 .

Figure 8.1 . Drive type, volume serial number, and volume name extracted from a Windows 7 Jump List LNK stream.

Correlating the volume serial numbers from the EMDMgmt subkeys to those found within the user’s LNK files or Jump List streams can serve a number of purposes for the analyst. For one, this can provide information regarding the drive letter assigned to the device, which may not be available through analysis of the “current” System hive (via the MountedDevices key values), nor those hives within available volume shadow copies (VSCs). Second, this information allows the analyst to determine the use of a specific device, particularly if that device was collected and was not reformatted by the user. Finally, this allows the analyst to determine specific folder structures found within the volume, which can then be correlated with other artifacts, such as shellbags or UserAssist entries, to develop a more detailed understanding of what existed within the volume.

Shellbags Artifacts

Yet another indicator as to why understanding the differences between various versions of Windows is so vitally important is illustrated in the shellbags artifacts. For one, on Windows XP, the shellbags artifacts are maintained in the NTUSER.DAT hive file, while on Windows 7 and 8, they’re found in the user’s USRCLASS.DAT hive file. On Windows XP systems, the data beneath the Software\Microsoft\Windows\ShellNoRoam\BagMRU subkeys can be correlated, via the NodeSlot value, to the values beneath the Software\Microsoft\Windows\ShellNoRoam\Bags\\Shell keys whose names start with “ItemPos.” These values have been found to contain what amounts to a directory listing of the accessed folder, stored in shell item format within the binary value data. For example, in practical exercise available online, the user on Windows XP system accessed a System Restore Point and launched a malware sample; the shellbags artifacts from the system not only illustrated that user accessed the Restore Point folder (as did other artifacts on the system), but they also contained a listing of the files located in that folder. I’ve been told by several investigators that they’ve been able to use this same information, when correlated with other artifacts, to illustrate a user’s access to TrueCrypt encrypted volumes, as well as the contents of those volumes. Again, this particular type of artifact appears to be available on Windows XP systems, and not on Vista, Windows 7, or Windows 8 systems.

Interoperability

Ian H. Witten , . David M. Nichols , in How to Build a Digital Library (Second Edition) , 2010

OpenURLs

The purpose of persistent URLs is to create reliable identifiers that can be used to link to a document, no matter where it is stored. A different problem is to discover a link to a document when all you have is its metadata. This is accomplished by a scheme called OpenURL, which is often run as a service by libraries. An OpenURL is generated by a bibliographic citation or bibliographic record; its target is a resource that satisfies the user’s information need.

An OpenURL consists of a base URL that usually addresses an institutional link server and a query string that specifies metadata in the form of key–value pairs. For example, http://www.oxfordjournals.org/content?genre=article&issn=0006-8950&volume=126&issue=2&spage=413 specifies a particular article at the base URL www.oxfordjournals.org by giving its serial number, volume, issue, and page number. In the case of this particular OpenURL resolver, the first four parameters—genre, ISSN (International Standard Serial Number), volume, and issue—are mandatory, but metadata like title and author can be given as an alternative to the page number.

The idea of OpenURLs is that a user can query an online bibliographic database and end up with a pointer to the full text of the article he wants to read. Whether the user is able to download the article depends on whether his institution has an appropriate subscription. To determine this, the link needs to be resolved by the user’s institution to point to the appropriate institutional copy. An OpenURL can be made to resolve to a copy of a resource in a different library simply by changing the base URL. Thus, the same OpenURL can easily be adjusted by either library to provide access to its own copy of the resource.

OpenURLs work well for documents that have standard metadata associated with them. In order to refer to general documents on the Web, a scheme involving associative links has been proposed. Pages can be identified not just by a name or location, but also by their content—the words they contain. A few well-chosen words or phrases are sufficient to identify almost every Web page exactly, with high reliability. These snippets—called the page’s signature—could be added to the URL. Browsers would locate pages in the normal way, but if they encountered a broken-link error, they would pass the signature to a search engine to find the page’s new location. The same technique identifies all copies of the same page on the Web—an important facility for search engines, so they need not bother to index duplicates. The scheme relies on the uniqueness of the signature: there is a trade-off between signature size and reliability.

Introduction

William J. Buchanan BSc, CEng, PhD , in Software Development for Engineers , 1997

29.8 Listing files (DIR)

The DIR command displays the contents of a directory. A help manual on DIR is given in Test run 29.11.

Various switches modify the way the DIR command displays the directory listing. Refer to the user manual shown in Test run 29.11 for a complete listing. Test run 29.12 shows a sample listing without switches.