- #Accessdata ftk imager model serial numbers#
- #Accessdata ftk imager model serial number#
- #Accessdata ftk imager model windows#
In the interest of a quick demo, I am going to select a 512MB SD card, but you can select any attached drive. The version used for this posting was downloaded directly from the AccessData web site (FTK Imager version 2.6.0).įrom the File menu, select Create a Disk Image and choose the source of your image.
#Accessdata ftk imager model windows#
The rest of this article will walk the reader through the process of taking a drive image using AccessData's FTK Imager tool.įTK Imager is a Windows acquisition tool included in various forensics toolkits, such as Helix and the SANS SIFT Workstation. The truth is: there are plenty of good tools that provide a high level of automation and assurance. I maintained my snobbish attachment to plain old dd for a long time, until I finally got tired of restarting acquisitions, forgetting checksums, and making countless other errors.
You can use the digit-swapping method to decode the USBs in your testing table.There are many utilities for acquiring drive images. Hope this helps clarify the discrepancies you identified. Of all the tools shown above WinHex/X-Ways handles it the most "user-friendly" in that both formats are provided to you.
#Accessdata ftk imager model serial number#
So, As you can see.all the forensic tools really do grab the serial number (or at least most of it), which will match the PNPDEVICEID you find in the and in the Windows Registry. This is ASCII but the HEX for this is 575839314139333030343637.so EnCase reports the HEX values serial number and FTK (WMIC) reports the ASCII version of the same thing. On your WD MyPassport the WMIC serial number is WX91A9300467. To convert WMIC, first take every odd digit: 6 0 A 4 4 C, then take every even digit B F 8 1 2 9 and append them together odd first followed by even and you get:Ħ0A44C BF8129.look famililar? Unfortunately when WMIC reports the serial number it does truncate portions so the converted WMIC is not exactly the same as the iSerialNumber depending on the length of the original iSerialNumber.Īs to some of the Hard Drives listed in your testing table, there is simple HEX encoding going on with WMIC.
#Accessdata ftk imager model serial numbers#
See the example of the above example where I have two serial numbers provided: With the USB devices, WMIC displays the serial number using a digit-swapping (and in some cases HEX encoded) process. The USB devices are a little more difficult to interpret. In the case of your Toshiba 1TB HD, the serial numbers are the same but WMIC displays them in revers order.
WMIC uses a somewhat convoluted method for displaying device serial numbers, and unfortunately as with many things "Microsoft", things change from Windows release to Windows release.īelieve it or not, the serial numbers you identified in your testing are all essentially the same, just displayed in different formats. The answer is they are ALL correct! They just display the serial number in different ways depending on the method used to request the serial number from the device. IdVendor: 0x0951 = Kingston Technology CompanyĮnglish (United States) "DataTraveler 3.0"Įnglish (United States) "60A44C426697BF812981005E" =>Device Descriptor This is an Interface Class Defined Device Reading USB firmware directly with Microsoft USB Device Viewer: Below is a "dump" of serial numbers provided by a variety of Windows tools.so which one is correct?
0 kommentar(er)
