All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 20 posts ] 
Author Message
 Post subject: Windows 8 Master Boot Record question
PostPosted: July 25th, 2015, 17:42 
Offline

Joined: July 19th, 2015, 10:05
Posts: 24
Location: Forida
Attachment:
VBR2.jpg
VBR2.jpg [ 370.16 KiB | Viewed 23372 times ]

I have a Master Boot Record question. I have been trying to get a reference chart of the NTFS Master File Table and the Master Boot Record completed in Visio and I ran into an issue. I have posted a screen capture of a Master Boot Record and if you will notice, there is no partition table in it. Whenever I open a forensic image file made with Windows 7 or 8 I get something like this. Can anyone tell me why my Master Boot Record doesn't have the partition table in it?


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 25th, 2015, 18:04 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
You are looking at a Volume Boot Record aka "boot sector", not a "Master Boot Record". You appear to be confusing logical sector 0 with physical sector 0.

See http://thestarman.pcministry.com/asm/mbr/index.html

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 26th, 2015, 0:09 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
I would love to see the Visio chart when you are done if you are able to share.


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 26th, 2015, 7:10 
Offline

Joined: July 19th, 2015, 10:05
Posts: 24
Location: Forida
fzabkar, I go to physical offset 0 in WinHex (or a number of other forensic tools) and this is what I get. From my understanding, the Master Boot Record is supposed to be at physical offset 0 of the image. Am I, for whatever reason, looking in the wrong place? If this is the case, can you suggest how I can more easily get to the Master Boot record using a hex editor? Thanks.

Jonathan


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 26th, 2015, 7:26 
Offline

Joined: July 19th, 2015, 10:05
Posts: 24
Location: Forida
Attachment:
FILEHeader.jpg
FILEHeader.jpg [ 117.92 KiB | Viewed 23326 times ]

HaQue, this is a section of what I am working on. This project will expand as I go, but for right now, I wanted to get some of the primary aspects of NTFS. A few of the values in the FILE Record Header are difficult to define. There are only two textbooks that thoroughly cover this material. One of those is Brian Carrier's "File System Forensics" text and then one from 2007 called "Forensic Computing," by Sammes and Jenkinson. I have found a few discrepancies between these two texts when it came to the FILE record header. Also, some of the available resources on the web seem to either ignore a few of the values altogether or they lump some of them together. I found this to be especially true of the "fixup array" related values. There is no one "go-to" source for this information. You have to do a lot of cross referencing.


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 26th, 2015, 16:27 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
You have given your screenshoot the name "VBR2", so that would suggest that you understand the difference between a VBR and an MBR. :?

The following resources explain the structure of a Windows 8 boot record:

http://thestarman.pcministry.com/asm/mbr/W8VBR.htm
http://thestarman.pcministry.com/asm/mbr/NTFSBR.htm

The logical volume begins at physical sector 0x272800 and has a capacity of 0x1C4A3FFF sectors. That's 243GB (= 226GiB).

As for WinHex, I don't use it, so others would be better placed to advise you.

BTW, the following document might be of use to you:
http://web.archive.org/web/201004111026 ... tfsdoc.pdf

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 26th, 2015, 17:59 
Offline

Joined: July 19th, 2015, 10:05
Posts: 24
Location: Forida
fzabkar, I do know the general difference between a Master Boot Record and a Volume Boot Record. My problem is locating the correct record type in a forensic image file using a hex editor. I just get the feeling that somehow I am looking in the wrong place. I know that the Master Boot Record starts at physical offset 0, has a size of 512 bytes, has a BIOS parameter block, and at the bottom there is a partition table. When I go to physical offset 0 in a number of hex editors, I am getting the snapshot of what you saw in the beginning of this thread. Obviously, I am missing a step somewhere so I am not getting to the MBR.

By the way, thanks for the document, I will save that. It looks like a very good reference.

Jonathan


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 26th, 2015, 22:31 
Offline

Joined: August 18th, 2010, 17:35
Posts: 3636
Location: Massachusetts, USA
It is possible that someone may have cloned a volume only directly to this drive as oppose to cloning an entire drive. People often wrongly clone/image a volume as oppose to the entire drive.
What's the background story on this?

_________________
Hard Disk Drive, SSD, USB Drive and RAID Data Recovery Specialist in Massachusetts


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 30th, 2015, 4:18 
Offline

Joined: July 2nd, 2014, 8:05
Posts: 201
Not all storage devices have MBR.
If you're working with portable USB drive (single partition) it may begin with boot sector, BIOS parameter block isn't required since it's not bootable device.

_________________
VISUAL NAND RECONSTRUCTOR. A big revolution in chip-off data recovery


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 30th, 2015, 6:11 
Offline

Joined: July 19th, 2015, 10:05
Posts: 24
Location: Forida
Sasha Sheremetov,

"If you're working with portable USB drive (single partition) it may begin with boot sector, BIOS parameter block isn't required since it's not bootable device."

That was a guess that I had made. I formatted a USB drive and found no MBR. I also used a forensic tool called WinHex to open the C:\ drive of my Toshiba Laptop which has Windows 8.1 on it. WinHex has all of the NTFS metadata files marked so you can go directly to them, e.g. $Bitmap, $MFT, etc. When I went to what was listed as the Master Boot Record for the drive, the snapshot listed in this thread is what I found. I was wondering whether WinHex made a mistake and just linked to the Volume Boot Record, or if there was no MBR at all.


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 30th, 2015, 7:23 
Offline

Joined: August 18th, 2010, 17:35
Posts: 3636
Location: Massachusetts, USA
You have not answered my initial question, yet, but how do you create these forensic images? What hardware or software do you use? And do you clone the entire device? Just volumes? How do you do this exactly?

_________________
Hard Disk Drive, SSD, USB Drive and RAID Data Recovery Specialist in Massachusetts


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 30th, 2015, 10:16 
Offline

Joined: February 8th, 2014, 8:08
Posts: 456
Location: Eastern Europe /recovering worldwide/
jdude45 wrote:
I have posted a screen capture of a Master Boot Record

You have posted a screenshot of NTFS superblock.

_________________
• Remote RAID, NAS, SAN, VMware, DVR (CCTV), flash and tape recovery. Data recovery support.


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 30th, 2015, 12:29 
Offline

Joined: July 19th, 2015, 10:05
Posts: 24
Location: Forida
labtech, I used FTK Imager for one of my experiments. I imaged a thumb drive after I formatted it with NTFS. The screen shot attached to this thread was taken of my laptop C:\ drive (Windows 8.1) after I created a snapshot of it using WinHex. I went to physical offset 0 of the snapshot.


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 30th, 2015, 13:51 
Offline

Joined: July 19th, 2015, 10:05
Posts: 24
Location: Forida
labtech, I just re-read your initial post and it occurred to me that when I used WinHex to take a snapshot of the C:\ drive, the viewer was only giving me access to the Volume Boot Record. Can you give me an idea as to how I can get to my hard disk's master boot record using a hex editor?


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 30th, 2015, 15:01 
Offline

Joined: August 18th, 2010, 17:35
Posts: 3636
Location: Massachusetts, USA
jdude45 wrote:
labtech, I just re-read your initial post and it occurred to me that when I used WinHex to take a snapshot of the C:\ drive, the viewer was only giving me access to the Volume Boot Record. Can you give me an idea as to how I can get to my hard disk's master boot record using a hex editor?

Ok, good, now we are getting somewhere where it starts making sense.
For any boot drive MBR is located at sector 0.

More than likely, the first sector you are looking at in your image is sector 63 on the person's physical drive.

_________________
Hard Disk Drive, SSD, USB Drive and RAID Data Recovery Specialist in Massachusetts


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 30th, 2015, 15:31 
Offline

Joined: August 18th, 2010, 17:35
Posts: 3636
Location: Massachusetts, USA
Well, the topic is called Windows 8, so then I need to make a correction. It will likely be a GPT based partitioning scheme, so it will not be sector 63.

_________________
Hard Disk Drive, SSD, USB Drive and RAID Data Recovery Specialist in Massachusetts


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 30th, 2015, 16:26 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
jdude45 wrote:
Sasha Sheremetov,

"If you're working with portable USB drive (single partition) it may begin with boot sector, BIOS parameter block isn't required since it's not bootable device."

That was a guess that I had made. I formatted a USB drive and found no MBR.

Every boot sector requires a BIOS Parameter Block, irrespective of whether the volume is bootable or non-bootable. The BPB contains information that defines the file system and the location of its important components. These include sector size, cluster size, volume size, location of MFT (for NTFS) and size and number of FATs (for FAT file systems).

http://homepage.ntlworld.com./jonathan. ... block.html

A non-bootable volume does not require boot code, either in the MBR or VBR.

A storage device configured as a "super floppy" does not require an MBR or partition table. In such cases the VBR is located in sector 0, ie the MBR and VBR are essentially the same. For compatibility purposes, one could add a dummy partition table with a single entry that points to a boot sector at sector 0 rather than the usual 63 or 2048.

Here is such an example:

Akai MPC2000 MIDI / Music Production Centre - analysis of file system:
http://www.hddoracle.com/viewtopic.php?f=59&t=132

Sector 0 is both an MBR and VBR. It contains both a FAT16 BPB and DOS partition table. There is no boot code, only a JMP 00 instruction that executes an infinite loop if you try to boot the drive.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 30th, 2015, 18:01 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
labtech wrote:
More than likely, the first sector you are looking at in your image is sector 63 on the person's physical drive.

The BPB indicates that the physical sector is 0x272800, not 63 or 2048.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 30th, 2015, 18:17 
Offline

Joined: August 18th, 2010, 17:35
Posts: 3636
Location: Massachusetts, USA
fzabkar wrote:
labtech wrote:
More than likely, the first sector you are looking at in your image is sector 63 on the person's physical drive.

The BPB indicates that the physical sector is 0x272800, not 63 or 2048.

Didn't bother looking, thanks. In most MBRs based drives, C: drive (first volume typically) starts at 63, which is what I was hinting at in my message.

_________________
Hard Disk Drive, SSD, USB Drive and RAID Data Recovery Specialist in Massachusetts


Top
 Profile  
 
 Post subject: Re: Windows 8 Master Boot Record question
PostPosted: July 30th, 2015, 19:14 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
labtech wrote:
fzabkar wrote:
labtech wrote:
More than likely, the first sector you are looking at in your image is sector 63 on the person's physical drive.

The BPB indicates that the physical sector is 0x272800, not 63 or 2048.

Didn't bother looking, thanks. In most MBRs based drives, C: drive (first volume typically) starts at 63, which is what I was hinting at in my message.

The start sector for MBR based drives was 63 for Windows XP and 2048 for later Windows versions.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 20 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group