Windows 如何计算卷唯一 ID?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7929481/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How windows calculates volume unique id?
提问by user996142
As far as I understand Windows driver (ftdisk) creates object "HardDiskVolume" for each volume it finds on the system and creates registry record for it:
据我了解,Windows 驱动程序(ftdisk)为它在系统上找到的每个卷创建对象“HardDiskVolume”并为其创建注册表记录:
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\
\??\Volume{GUID} = BINARY_DATA
From that moment volume is mounted as \??\Volume{GUID}
从那一刻起,卷被安装为 \??\Volume{GUID}
BINARY_DATAis used to map this drive to \DosDevices\<DISK_NAME>in the same registry hive so disk has letter.
BINARY_DATA用于将此驱动器映射到\DosDevices\<DISK_NAME>同一注册表配置单元中,因此磁盘具有字母。
BINARY_DATA has to be unique for the volume and should not be changed even if I put this disk into another PC, right?
BINARY_DATA 对于该卷必须是唯一的,即使我将此磁盘放入另一台 PC 也不应更改,对吗?
My qunestion is:
我的问题是:
- what is GUID here? Is it random number generated by ftdisk each time windows boots?
- How does Windows calculate BINARY_DATA?
- 这里的 GUID 是什么?是每次 Windows 启动时由 ftdisk 生成的随机数吗?
- Windows 如何计算 BINARY_DATA?
I've read lpVolumeSerialNumberusing GetVolumeInformation. It is just long integer and does not look like this BINARY_DATA.
我读过lpVolumeSerialNumber使用GetVolumeInformation. 它只是一个长整数,看起来不像这样BINARY_DATA。
I believe BINARY_DATAis function from lpVolumeSerialNumber(which is generated by OS when volume formatted) and something else:
我相信 BINARY_DATA是函数lpVolumeSerialNumber(在格式化卷时由操作系统生成)和其他东西:
BINARY_DATA= F(VolumeSerialNumber, SOMETHING).
What is SOMETHING?
什么是东西?
I read MSDN and Russinovich/Solomon book already and still can't get it..
我已经阅读了 MSDN 和 Russinovich/Solomon 的书,但仍然无法理解。
Oh, I found.
哦,我发现了。
It says "The data that the registry stores in values for basic disk volume drive letters and volume names is the Windows NT 4–style disk signature and the starting offset of the first partition associated with the volume".
它说“注册表存储在基本磁盘卷驱动器号和卷名值中的数据是 Windows NT 4 风格的磁盘签名和与该卷关联的第一个分区的起始偏移量”。
but what is "Windows NT 4–style disk signature"?
但什么是“Windows NT 4 风格的磁盘签名”?
从这里:http: //www.microsoft.com/resources/documentation/windowsnt/4/server/reskit/en-us/resguide/diskover.mspx?mfr=true
That is "Four-byte disk signature that is in the first sector of each hard disk"
即“每个硬盘第一个扇区的四字节磁盘签名”
So I uses HxD tool and found this four bytes from my BINARY_DATA I found it in row 1B0 and columns 08 to 0B.
所以我使用 HxD 工具并从我的 BINARY_DATA 中找到了这四个字节,我在第 1B0 行和第 08 到 0B 列中找到了它。
Looks like there is one more person on the internet who knows about it: http://www.pcreview.co.uk/forums/image-copy-drive-wont-boot-properly-t3761034.html))
看起来互联网上还有一个人知道它:http: //www.pcreview.co.uk/forums/image-copy-drive-wont-boot-properly-t3761034.html))
So if I change MBR on the disk it would loose its letter:)
因此,如果我更改磁盘上的 MBR,它会丢失其字母:)
回答by Jet
回答by Stephan Unrau
This is going back a few years as I worked at a company that would read and write to the first 62 sectors of hard disks. We had to be careful not to overwrite all 62 sectors or we would have problems with Windows activation. Typically goodies are stored there however it's not much of a secret.
这要追溯到几年前,因为我在一家公司工作,该公司将读写硬盘的前 62 个扇区。我们必须小心不要覆盖所有 62 个扇区,否则我们会遇到 Windows 激活问题。通常好东西都存储在那里,但这并不是什么秘密。
For sure on FAT - 62 sectors before the MBR are 'unused' and usable by any program. I have copied text from a forensic page linked below and you'll see that its likely the unique identifiers are stored on the first 62 sectors. Forensic analysts can use the data in the registry to determine that you removed a hard disk and can then go look for it. I presume the identifier was written there by Windows on format. The binary data is the time stamp and is created on format and with all this its really strong evidence you should find that binary data hopefully not encoded on the first 62 partitions somewhere.
可以肯定的是,在 FAT - MBR 之前的 62 个扇区是“未使用的”并且可以被任何程序使用。我从下面链接的取证页面复制了文本,您会看到唯一标识符可能存储在前 62 个扇区中。取证分析师可以使用注册表中的数据来确定您是否移除了硬盘,然后可以去寻找它。我认为标识符是由 Windows 以格式写在那里的。二进制数据是时间戳,是按格式创建的,所有这些都是非常有力的证据,您应该会发现二进制数据希望不会在某处的前 62 个分区上进行编码。
Actually correct I did find it! This WinHex is the bomb! you want to read from 0 to (62*512) on one of the PHYSICAL drives (not logical). I dont think you will have any problems changing this other than possibly activation howeber thats an old issue and I believe they stopped since people now update their SSD's often as they melt down.
其实正确我确实找到了!这个 WinHex 就是炸弹!您想在其中一个物理驱动器(非逻辑驱动器)上读取从 0 到 (62*512) 的数据。我认为除了可能的激活之外,更改此设置不会有任何问题,但这是一个老问题,我相信它们已停止,因为人们现在在崩溃时经常更新他们的 SSD。
FROM http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry
来自http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry
A Forensic Analysis Of The Windows Registry
Derrick J. Farmer Champlain College Burlington, Vermont [email protected]
Mounted Devices
There is a key in the Registry that makes it possible to view each drive associated with the system. The key is HKLM\SYSTEM\MountedDevices and it stores a database of mounted volumes that is used by the NTFS file system. The binary data for each \DosDevices\x: value contains information for identifying each volume. This is demonstrated in Figure 7, where \DosDevice\F: is a mounted volume and listed as 'STORAGE Removable Media'.
Figure 7 Identification of volume \DosDevice\F:
This information can be useful to a digital forensics examiner as it shows the hardware devices that should be connected to the system. Therefore, if a device is shown in the list of MountedDevices and that device isn't physically in the system, it may indicate that the user removed the drive in attempt to conceal the evidence. In this case, the examiner would know they have additional evidence that needs to be seized.
SECTORS 1-62 QUOTED FROM
http://www.beginningtoseethelight.org/fat16/index.htmsectors 1 - 62 (> =31,744 bytes )sectors 1 - 62 inclusively are normally left empty. applications that do use it include: multi boot loaders like ranish advanced boot manager. security programs such as reflex-magnetics disknet. viruses that copy themselves to the master boot record so that they can load every time, sometimes move the real mbr into this area, plus any more virus code. full disk encryption programs and disk translation software for very large hard disks may also reside here.
Windows 注册表的取证分析
Derrick J. Farmer Champlain College Burlington, Vermont [email protected]
挂载设备
注册表中有一个键可以查看与系统关联的每个驱动器。键是 HKLM\SYSTEM\MountedDevices,它存储 NTFS 文件系统使用的已安装卷的数据库。每个 \DosDevices\x: 值的二进制数据包含用于标识每个卷的信息。这在图 7 中进行了演示,其中 \DosDevice\F: 是一个已安装的卷并列为“STORAGE Removable Media”。
图 7 卷 \DosDevice\F 的标识:
此信息对数字取证检查员很有用,因为它显示了应该连接到系统的硬件设备。因此,如果某个设备显示在 MountedDevices 列表中,并且该设备实际上不在系统中,则可能表明用户移除了驱动器以试图隐藏证据。在这种情况下,员会知道他们有额外的证据需要扣押。
扇区 1-62 引用自
http://www.beginningtoseethelight.org/fat16/index.htm扇区 1 - 62(> = 31,744 字节)扇区 1 - 62(含)通常为空。使用它的应用程序包括: 多引导加载程序,如ranish 高级引导管理器。安全程序,如反射磁磁盘网。病毒将自身复制到主引导记录以便它们每次都可以加载,有时会将真正的 mbr 移动到该区域,以及更多的病毒代码。用于超大硬盘的全盘加密程序和磁盘转换软件也可能驻留在此处。
回答by Joe Plante
For one, GUIDs are GUIDs. They are just a randomly-generated number sequence that has a very low chance of having a duplicate entry. I doubt it would be generated each time Windows boots, though I'll admit that it's possible. I never noticed it changing since I don't see my hdd's GUID that often
一方面,GUID 就是 GUID。它们只是一个随机生成的数字序列,重复条目的可能性非常低。我怀疑每次 Windows 启动时都会生成它,尽管我承认这是可能的。我从来没有注意到它的变化,因为我没有经常看到我的硬盘的 GUID
Also, are you deferencing lpVolumeSerialNumber? If not, you are probably getting a memory address. The Hungarian Notation of "lp" == "Long Pointer to..." The Volume Serial number itself looks like a DWORD, a 32-bit integer
另外,您是否在推迟 lpVolumeSerialNumber?如果没有,您可能会得到一个内存地址。"lp" == "Long Pointer to..." 的匈牙利符号 卷序列号本身看起来像一个 DWORD,一个 32 位整数
