We will get no where moving backwards, so onward and upwards we go! If you are here, we assume you made it here through the first two write-ups and want to either move forward with us or see how we are moving forward. Either way we are doing it together and that is more important than anything else. If you happened upon this one and have not yet seen the first two, we would like to invite you to start here with “Where Should I Start?” then on to “One step at a time”. Once done there, then you will be all caught up.
In the last article “One step at a time” we retrieved the hard drive serial numbers and printed them out to the output screen. This is great and all but we need to collect that information and store it for future reference if needed or validation. Let’s say you were called to a scene where for some legal reason you could not take physical drives or computers from the scene. What would you do? Yes, you could spend hours imaging the computer hard drives or days depending on the amount of storage located in your target machine. You do not have that kind of time, so you collect the important information for your investigation. The next day or so, you go back because you were asked to gather further data. How do you know that the hard drive(s) had not been changed?
The first step in our code is going to be the modules we need to access for collecting the data. So the first two lines of our python code will be the import of the modules we need to get to our hard drive serial numbers and to print that data to a file.
Line 1 = import wmi
Line 2 = import sys
Without these two lines you will get errors and no data. So, your code in your (Your file name here).py file will be:
import wmi
import sys
We will start with the print statement as follows:
sys.stdout = open("HDserial.txt", "w+")
If you open a file, then you must close the file, so we need the next line of code:
sys.stdout.close()
You can see we have named our file HDserial.txt and set the access to write as w+. We will be dumping the text file in the same directory as the python file that we are creating. If you are following along and run just this code, go to where you saved your python file and you will find the text file name you created. You can open the file but it will be empty at this time. We are working from a USB drive not C:.
To get our hard drive serial numbers in to the text file, in our case HDserial.txt we will take the code from the prior article “One Step at A Time”.
c = wmi.WMI()
for pm in c.Win32_PhysicalMedia():
print pm.Tag, pm.SerialNumber
Remember what we said before “c” and “pm” can be what ever you want it to be, just keep it simple so it makes for easy editing later if you wish. K.I.S.S. (Keep It Simple Stupid). So now our code should look like this:
import wmi
import sys
sys.stdout = open("HDserial.txt", "w+")
c = wmi.WMI()
for HD in c.Win32_PhysicalMedia():
print (pm.Tag, pm.SerialNumber)
sys.stdout.close()
When we run this code, we get the following in a text file in the same directory as our python file.
When we open the text file we will now find the hard drive serial numbers have been written to it and not the python or sublime window.
We have now gone from printing the hard drive serial numbers to the console to creating a text file and writing said hard drive serial numbers to the text file. Great work and glad you were here with us for this. If you had errors, please feel free to post them in a comment below. We will work together to solve them.
Until next time, happy coding! See you in number four, so stay tuned!
Author - Emory Casey Mullis has been in Law Enforcement for roughly 20 plus years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00. Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!