This statement is correct, the serial number _is_ generated based on the current date/time and as far as i remember its up to the millisecond. If the user used the format utility that comes standard with the ms product it will automatically change the serial number to match the date/time on the system... This of course isn't the only method in determining whether the disk was formatted or not because there are some pittfalls: 1) the user could have set the time back on the system to an estimated time/date that the drive was initially formatted (based on the creation date of core system files/folders 2) the user could have used another tool to generate a serial number for the disk to match what is currently in place With that in mind, you would have to resort back to identifying the structure of the disk by looking at the order of bits (this has all been previously mentioned....) Both methods can't be used alone, but when used together they can really turn some information around..... So, what would I do? 1) examine the order of bits on the drive to see if it _could_ have been formatted, or defragmented. 2) check the volume serial number on the disk against the dates/times of some files that _should_ have been there when it was installed. -note- if the system was mounted as a slave device, some core system files may never even have been present to begin with, but after the 'undelete' of the files on the filesystem you can actually verify the times on the files vs the serial number on the disk to find out if they were created before or after the format. just a couple of ideas that could potentially be way off topic, but that happens sometimes.... Thanks, Ryan Yagatich <supportat_private> Pantek, Incorporated (877) LINUX-FIX - (440) 519-1802 =================================== A8 07 52 9B 40 04 F3 6F 60 04 05 70 CC 0B CF C6 AB AB 45 B6 89 9E E9 9E =================================== The Keystone Kops are after you! On Thu, 10 Oct 2002, Robert Goto wrote: >I believe it is possible to tell when a hard drive was formatted under >Windows 95 by running the 'vol' command and looking at the volume serial >number. We looked into this a while back and the volume serial number >appears to represent some kind of offset fro a given point in time. We >tested this by changing the time on our systems and formatting disks. It >changes and there is a pattern. Is there any one out there who has figured >this one out? > > >----------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 11 2002 - 05:08:10 PDT