The volume serial number IS derived from the system clock-- but there is no way to reverse that. The scheme was developed so that the OS could track diskette changes and prevent data corruption. The algorithm results in a fair enough approximation to randomization that it would long odds indeed that two people would share a volume serial number-- unless one used a tool to modify that number. Compare it to dipping a paintbrush into a paint bucket, then flinging the paint on the wall. You might be able to predict where the paint would go, knowing the position of every bristle and every other factor involved (temperature, speed at which the brush was flicked, etc), but just seeing the paint spatter, it would be virtually impossible to figure out the position of the bristles, etc. Conceivably, there would be many parameters that could exist that result in the same pattern. Attempting to use the volume serial number in this way would be unproductive. Alaric "Robert Goto" <goto1at_private> spilled coffee on his keyboard, the resulting short circuits resulted in: >I believe it is possible to tell when a hard drive was formatted under >Windows 95 by running the 'vol' command and looking at the volume serial >number. We looked into this a while back and the volume serial number >appears to represent some kind of offset fro a given point in time. We >tested this by changing the time on our systems and formatting disks. >It changes and there is a pattern. Is there any one out there who has >figured this one out? ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 04:57:53 PDT