Sunday, April 27, 2014

Basic XMount Use


The xmount command is not installed on Ubuntu by default but can be obtained from the repository.

$ xmount
The program 'xmount' is currently not installed. You can install it by typing:
sudo apt-get install xmount
$ sudo apt-get install xmount

There are a couple of commands that will help you when you aren't sure if you have a piece of software installed.  You can just run the command and see what happens like I did above but it may be more helpful to run it with a -V option to show the version (it does not work with xmount but most does with many other Linux commands) or you may want to run the which command and then the package name to determine where the item is installed.

$ which xmount
/usr/bin/xmount
$ mmls -V
The Sleuth Kit ver 4.1.3

So lets get into xmount.  In this example xmount will take the place of the ewfmount command.

$ xmount --in ewf nps-2008-jean.E?? /E01Mnt/RAW/
$ ls /E01Mnt/RAW/
nps-2008-jean.dd  nps-2008-jean.info

Lets break this down.  We have to tell xmount which input type we are using (--in ewf).  Xmount can work with ewf, dd (raw), and aff (Advanced Forensic Format) image types.  Also we need to be sure that the tool is including all of the E01 files.  In Linux we can use a ? as a variable, allowing any character option to be placed there allowing both the E01 and E02 files to be loaded together.  Finally we need to provide a mount point for a raw data to be placed.  After mounting the file I used the ls command to show the files in that location.  Unlike the ewfmount command, we have two files.  nps-2008-jean.dd file is the raw data (exactly like the ewf1 file when using ewfmount) and we have a .info file.

$ cat /E01Mnt/RAW/nps-2008-jean.info 
The following values have been extracted from the mounted image file:

Description: Jean's hard drive from the first M57 project
Examiner: Donny
Evidence number: 2008-M57-Jean
Acquiry date: Mon Jan 31 16:38:29 2011
System date: Mon Jan 31 16:38:29 2011
Acquiry os: Darwin
Acquiry sw version: 20101104

MD5 hash: 78a52b5bac78f4e711607707ac0e3f93

The cat command just pushes the data from the .info file to the terminal.  We can see some interesting information about the file like the MD5 hash and acquisition date and time.  We also see some notes made by the examiner that acquired the image.  We can verify the raw data is the same as the original by using the md5sum command like this:

$ md5sum /E01Mnt/RAW/nps-2008-jean.dd

78a52b5bac78f4e711607707ac0e3f93  /E01Mnt/RAW/nps-2008-jean.dd

I know some of this is review so lets move on.  We now know that the actual data is the same data captured during the acquisition and like ewfmount the next step is to mount the volume we wish to review.  Lets take a look at the volumes in the image before we try and mount anything.

$ mmls /E01Mnt/RAW/nps-2008-jean.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000000062   0000000063   Unallocated
02:  00:00   0000000063   0020948759   0020948697   NTFS (0x07)
03:  -----   0020948760   0020971519   0000022760   Unallocated

We can see here that the NTFS volume starts at sector offset 63.  We will mount this exactly as we mounted it before except pointing to the .dd file rather than ewf1.

$ sudo mount -o ro,loop,offset=$((63*512)) /E01Mnt/RAW/nps-2008-jean.dd /E01Mnt/V1

We have successfully mounted the volume as read only int he /E01Mnt/V1 directory.  We can navigate there and see the contents of the volume in any manner that we prefer.


This just provides us an alternative to using the ewfmount command.  Xmount is a very capable tool and can give us some other great features.  Xmount can output the E01 file as vdi (Virtualbox's Disk Image file type) and can then be mounted as a Virtual Machine.  I will be posting blog on how to do this at a later time.

Xmount can also us a cache file.  This allows the image to remain read only but appear to be read-write capable.  John Lehr has written an excellent post using xmount to repair damaged ext4 based file systems on images of evidence.  You can find that post here.

That's all for now.

The Master File Table - Part 1


The New Technology File System (or NTFS) is a file system developed by Microsoft and is the primary file system being used by Microsoft Windows for quite some time.  There are many files that are used to track metadata in the NTFS file system.  One tool that the Sleuth Kit provides for us is the istat command.  This command provides us with some really fantastic metadata information.  But before we do that lets use the mmls command and take a look at our partitions.

$ mmls nps-2008-jean.E01
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000000062   0000000063   Unallocated
02:  00:00   0000000063   0020948759   0020948697   NTFS (0x07)
03:  -----   0020948760   0020971519   0000022760   Unallocated

Remember when working with the Sleuth Kit file based commands we need to point our commands to the correct partition and inode number.  So lets look at this istat command.

$ istat -o63 nps-2008-jean.E01 4577
MFT Entry Header Values:
Entry: 4577        Sequence: 1
$LogFile Sequence Number: 20517559
Allocated File
Links: 1

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 279  (S-1-5-32-544)
Created: 2008-05-13 18:21:17 (EDT)
File Modified: 2008-05-13 18:21:17 (EDT)
MFT Modified: 2008-05-13 18:21:17 (EDT)
Accessed: 2008-05-13 18:21:17 (EDT)

$FILE_NAME Attribute Values:
Flags: Archive
Name: mdmati.PNF
Parent MFT Entry: 45 Sequence: 1
Allocated Size: 0   Actual Size: 0
Created: 2008-05-13 18:21:17 (EDT)
File Modified: 2008-05-13 18:21:17 (EDT)
MFT Modified: 2008-05-13 18:21:17 (EDT)
Accessed: 2008-05-13 18:21:17 (EDT)

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 86
Type: $DATA (128-3)   Name: N/A   Non-Resident   size: 77752  init_size: 77752
1227963 1227964 1227965 1227966 1227967 1227968 1227969 1227970 
1227971 1227972 1227973 1227974 1227975 1227976 1227977 1227978 

1227979 1227980 1227981 

We can see that the istat command is used with an image offset of 63 bytes, pointing to out NTFS partition, and inode number 4577.  So where does this command get this information from?  This information is being pulled from the system file $MFT.  MFT stands for Master File Table.  The MFT is a file which stores its data in a RAW form.  We are going to look at this raw data in my next post but lets prepare our system first.

HEXADECIMAL or hex is a common way to review stored data and is how we will be reviewing the Master File Table.  I have written a blog post on what hex is here.  Lets prepare a file that we can easily access with a hex editor a viewer later on.

$ icat -o63 nps-2008-jean.E01 0 > mft.raw

We have just created a file called mft.raw that is a copy of the $MFT from our E01 file which we can review with a hex editor.  We have used hd in the past but lets use something a little more powerful.

$ sudo apt-get install ghex

Alright, we have prepared our system to review the copy of the $MFT that we created.  I am not giong to get into manually parsing this right now but if you are interested in viewing the contents of this file now you can use the following command:

$ ghex mft.raw

We will review this further in the next post.  Until next time, ENJOY!

Wednesday, April 23, 2014

Need to see the Pictures, hear the Music, and watch the Videos?


The other posts have mostly discussed metadata (data, about the data).  Yeah, you could use icat to output the text of a text file or something similar but how do you see the files how we are used to seeing them?  There are a few ways to do this but for this post I am going to talk about mounting a volume and browsing the files.

Before we start throwing out commands lets talk about how this is going to work.  First, you will need to have root access on the machine you are using (the sudo command is commonly used to gain temporary superuser status).  This is going to necessary when we begin using the mount command.  Next lets make a few directories.  I am going to make these directories in the ROOT ("/") director of the volume.  To do this we will use the Linux mkdir command like this:

$ cd /
$ sudo mkdir E01Mnt
$ ls
bin    dev     home            lib    lost+found  opt   run   sys  var
boot   E01Mnt  initrd.img      lib32  media       proc  sbin  tmp  vmlinuz

cdrom  etc     initrd.img.old  lib64  mnt         root  srv   usr  vmlinuz.old

You can see we used the cd command to change to the ROOT directory.  Then created our directory with the mkdir command and listed our files in our ROOT directory with the ls command (that's an LS not a 1S).

Now we need to move create some directories in the /E01Mnt directory like this:

$ cd E01Mnt/
$ sudo mkdir V1 V2 V3 V4 V5
$ sudo mkdir RAW
$ ls
RAW  V1  V2  V3  V4  V5

Finally, we will need to make sure that we have permission to access these files.  For the purposes of this example I am going to be very lenient with the permissions.  If you have multiple people accessing your computer you may want to do some research and see what permission options will be best for your situation:

$ cd /

We changed back to the ROOT directory.

$ sudo chmod -R 777 /E01Mnt/
$ ls -Rl /E01Mnt/
/E01Mnt/:
total 24
drwxrwxrwx 2 root root 4096 Apr 23 18:28 RAW
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V1
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V2
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V3
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V4
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V5

/E01Mnt/RAW:
total 0

/E01Mnt/V1:
total 0

/E01Mnt/V2:
total 0

/E01Mnt/V3:
total 0

/E01Mnt/V4:
total 0

/E01Mnt/V5:
total 0

Using the chmod command with the -R (for recursive) option we can change the permission of all of the newly created directories at once.  We have changed the permission of each directory allowing all users and groups to have rwx (read, write, and execute) capabilities.  Now that we have the directories with the correct permissions we can proceed.  But first, a little explanation of what we are going to do.

Remember when we talked about creating an Expert Witness Format (E01) disk image?  The E01 file acts as a container for the raw data.  The container stores the raw data along with check-sums and information about when and how the E01 file was created.  So the first thing we will need to do is expose the RAW data that is inside of the container.  To do this we are going to need to have the libewf package installed.  The libewf package can be downloaded here and instructions for the installation can be found here.  Now:

$ ewfmount nps-2008-jean.E01 /E01Mnt/RAW/
ewfmount 20140227

fusermount: failed to open /etc/fuse.conf: Permission denied

The first time you run this you will see this error.  Once again we are having a permission issue.  To fix this we will need to:

$ sudo chmod 755 /etc/fuse.conf
$ sudo gedit /etc/fuse.conf

The gedit command should open the fuse.conf file in a text editor (for those of you are using Ubuntu, if you are using another OS you can use your default text editor to make these changes).  Please change the "#user_allow_other" to "user_allow_other" and save the file.  Now we've adjusted FUSE to our liking.  Next:

$ sudo umount /E01Mnt/RAW
$ ewfmount -X allow_root nps-2008-jean.E01 /E01Mnt/RAW/
ewfmount 20140227

Using the ewfmount command we have just exposed the raw data from the container.  That data has been placed in the /E01Mnt/RAW/ directory.

$ ls -l /E01Mnt/RAW/
total 0

-r--r--r-- 1 root root 10737418240 Apr 23 19:03 ewf1

We can still run our standard Sleuth Kit commands against it like this:

$ mmls -B /E01Mnt/RAW/ewf1
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Size    Description
00:  Meta    0000000000   0000000000   0000000001   0512B   Primary Table (#0)
01:  -----   0000000000   0000000062   0000000063   0031K   Unallocated
02:  00:00   0000000063   0020948759   0020948697   0009G   NTFS (0x07)

03:  -----   0020948760   0020971519   0000022760   0011M   Unallocated
$ img_stat nps-2008-jean.E01
IMAGE FILE INFORMATION
--------------------------------------------
Image Type: ewf

Size of data in bytes: 10737418240
MD5 hash of data: 78a52b5bac78f4e711607707ac0e3f93
$ md5sum /E01Mnt/RAW/ewf1
78a52b5bac78f4e711607707ac0e3f93  /E01Mnt/RAW/ewf1

I also decided to show you that the RAW data at /E01Mnt/RAW/ewf1 matches the data in the E01 file.  So the next step requires mounting the volume and viewing the contents of the volume.  With this file we have only one volume.  That volume starts at sector 63 and is an NTFS volume.  To mount this volume we will use the Linux mount command like this:

$ sudo mount -o ro,loop,offset=$((63*512)) /E01Mnt/RAW/ewf1 /E01Mnt/V1

The option -o ro makes the mount READ ONLY (so you don't corrupt the original data). offset=$((63*512)) indicates that the volume begins at 32256 bytes.  We used the $(( to do the math for us but the command could have looked like this:

$ sudo mount -o ro,loop,offset=32256 /E01Mnt/RAW/ewf1 /E01Mnt/V1

So how do we know we were successful?  We can use the standard Linux ls command to see if the mount was successful.

 $ ls /E01Mnt/V1
AUTOEXEC.BAT            IO.SYS        ntldr          System Volume Information
boot.ini                IPH.PH        pagefile.sys   WINDOWS
CONFIG.SYS              MSDOS.SYS     Program Files
Documents and Settings  NTDETECT.COM  RECYCLER

Success is ours.  If you look at your file manager you should be able to see the volume and files at /E01Mnt/V1




If you like looking at the data that way, well that's just dandy but I would recommend an alternative.  I use XNViewMP.  It looks like this.



With XNView you can view images and access videos more quickly (and on systems with higher performance you can choose to "View All" data from a directory all at once -- Essentially it has recursive capabilities).  It also shows file metadata and EXIF data if applicable.

This post is large so I'm going to stop now but keep in mind this is just one of many ways to access the data.  ewfmount can be replaced with xmount.  With xmount you can also output E01 files as a virtual hard disk (.vhd) file and then the volume can be booted into a virtual machine.  The options here are pretty much limitless so don't get stuck on one thing.  Have fun.

Tuesday, April 22, 2014

File Systems Continued


To continue talking about analyzing file systems with the Sleuth Kit we need to see some of the other commands that you may need.  fsstat provides us with basic information for the file system itself and also shows the system files.  It shows the Volume Serial Number.  This number is a generated during the creation of the volume.  It is useful if you need to determine if the volume of a USB thumb drive or external device has ever been connected to a system.   

$ fsstat -o63 nps-2008-jean.E01
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: 7E745008744FC21F
OEM Name: NTFS    
Version: Windows XP

METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 786432
First Cluster of MFT Mirror: 1309293
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 32848
Root Directory: 5

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 2618586
Total Sector Range: 0 - 20948695

$AttrDef Attribute Values:
$STANDARD_INFORMATION (16)   Size: 48-72   Flags: Resident
$ATTRIBUTE_LIST (32)   Size: No Limit   Flags: Non-resident
$FILE_NAME (48)   Size: 68-578   Flags: Resident,Index
$OBJECT_ID (64)   Size: 0-256   Flags: Resident
$SECURITY_DESCRIPTOR (80)   Size: No Limit   Flags: Non-resident
$VOLUME_NAME (96)   Size: 2-256   Flags: Resident
$VOLUME_INFORMATION (112)   Size: 12-12   Flags: Resident
$DATA (128)   Size: No Limit   Flags: 
$INDEX_ROOT (144)   Size: No Limit   Flags: Resident
$INDEX_ALLOCATION (160)   Size: No Limit   Flags: Non-resident
$BITMAP (176)   Size: No Limit   Flags: Non-resident
$REPARSE_POINT (192)   Size: 0-16384   Flags: Non-resident
$EA_INFORMATION (208)   Size: 8-8   Flags: Resident
$EA (224)   Size: 0-65536   Flags: 

$LOGGED_UTILITY_STREAM (256)   Size: 0-65536   Flags: Non-resident

Windows stores the serial numbers of volumes that have been connected to system in the past.  In Windows systems you can locate previously connected volume serial numbers for USB devices in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\.  Sector size may be important when you are dealing with less common file systems or extremely large volumes.

Another great tool is the fiwalk tool.  This tool stands for File Inode Walk and prints out information about the file system and each inode contained in it.  It's important to note that if you use this tool against a large volume (larger than our 10GB file system) it will take quite some time.  Even the small volume we are running this against takes some time (approx. 3.5 minutes).  Below I piped the output of this command to the Linux tee command.  The tee command allows the information to be displayed in the terminal but also be written to a file.  In this case I created a file called fiwalkoutput.data.  This can be reviewed with any text editor but we will work with this file at another time.

$ fiwalk nps-2008-jean.E01 | tee fiwalkoutput.data

Below is another way to do the same thing except you wouldn't see anything in the terminal.

$ fiwalk nps-2008-jean.E01 > fiwalkoutput.data

I am only listing one piece of the output of the fiwalk command to show you what it can do.

parent_inode: 16225
filename: Documents and Settings/Jean/Local Settings/Temporary Internet Files/Content.IE5/20S83G5U/repoffline[9].gif
partition: 1
id: 4988
name_type: r
filesize: 5669
alloc: 1
used: 1
inode: 32282
meta_type: 1
mode: 511
nlink: 2
uid: 0
gid: 0
mtime: 1216358363
mtime_txt: 2008-07-18T05:19:23Z
ctime: 1216358363
ctime_txt: 2008-07-18T05:19:23Z
atime: 1216358363
atime_txt: 2008-07-18T05:19:23Z
crtime: 1216358363
crtime_txt: 2008-07-18T05:19:23Z
seq: 4
md5: 447237bcc728c30e159370ec9f17e5eb
sha1: 6661fcd9cd495a6528a347d66b4371bf17af88ab

So we can see the output here gives us some good information.  Filename (and path), inode number, filesize in bytes, if the file is allocated or deleted, MD5 and SHA1 hash values, dates, times and parent inode number.  These can all be used to help analyze the file in further detail with other commands.  If you save the output like I did your system won't have hash each file in the volume next time you need to locate some information.  The saved file can be searched later if you are looking for specific hash values or inode numbers.

More importantly, fiwalk has options that will display exif data from images or other metadata that is valuable depending on the type of investigation you are doing.  To learn more about metadata, fiwalk, and other information you may want to look at this document.

That's enough for tonight.  Leave a comment.

Friday, April 18, 2014

File System Overview


$ mmls -B nps-2008-jean.E01
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Size    Description
00:  Meta    0000000000   0000000000   0000000001   0512B   Primary Table (#0)
01:  -----   0000000000   0000000062   0000000063   0031K   Unallocated
02:  00:00   0000000063   0020948759   0020948697   0009G   NTFS (0x07)
03:  -----   0020948760   0020971519   0000022760   0011M   Unallocated

In the last post we looked at the two unallocated spaces immediately preceding and following the 9GB NTFS partition located in slot 02.  Now we are going to look at the NTFS partition itself.  We want to see the contents of the NTFS file system.  Using the fls command we can see the contents of the root directory of the NTFS file system like so:

$ fls -o63 nps-2008-jean.E01
r/r 4-128-4: $AttrDef
r/r 8-128-2: $BadClus
r/r 8-128-1: $BadClus:$Bad
r/r 6-128-1: $Bitmap
r/r 7-128-1: $Boot
d/d 11-144-4: $Extend
r/r 2-128-1: $LogFile
r/r 0-128-1: $MFT
r/r 1-128-1: $MFTMirr
r/r 9-144-17: $Secure:$SDH
r/r 9-144-16: $Secure:$SII
r/r 9-128-18: $Secure:$SDS
r/r 10-128-1: $UpCase
r/r 3-128-3: $Volume
r/r 7451-128-1: AUTOEXEC.BAT
r/r 3513-128-3: boot.ini
r/r 7450-128-1: CONFIG.SYS
d/d 3519-144-6: Documents and Settings
r/r 7452-128-1: IO.SYS
r/r 27624-128-3: IPH.PH
r/r 7453-128-1: MSDOS.SYS
r/r 3485-128-3: NTDETECT.COM
r/r 3481-128-3: ntldr
r/r 27-128-1: pagefile.sys
d/d 3999-144-6: Program Files
d/d 23827-144-1: RECYCLER
d/d 3522-144-6: System Volume Information
d/d 28-144-6: WINDOWS
d/d 32848: $OrphanFiles

The only option we are using with the fls command is the -o option for offset.  The NTFS partitions starting offset is sector 63 as we saw earlier with the mmls command.  The output shows us a few things including some files we would expect to see in a Windows XP root directory along with some that (if you are unfamiliar with forensics) we may not expect to see.  The files we do not expect to see are the files that begin with the $.  That is because these files are hidden SYSTEM files that are important to the systems ability to function.

The first file we want to look at is the $Boot file.  This file contains the Volume Boot Record for this NTFS partition.  Lets see if we can find it.  Taking a closer look at the output from the fls command we can see some additional information about each file.

r/r 7-128-1: $Boot

The r/r and d/d is an indicator of whether we are looking at a Regular File listing or a Directory listing.  There are a few other options for this output but they are not going to be relevant for what we are discussing at this time.

r/r 7-128-1: $Boot

The 7 is the $MFT (Master File Table) inode number for tracking the file.  This will come in handy when analyzing the files later in the examination.  The numbers will be discussed in a future post.  These numbers as a whole are called the "Metadata Address."

r/r 7-128-1: $Boot

And this is obviously the file name.  Once again the most important thing we can glean from this is the inode number.  Using the inode number we can analyze the file itself.  Because the $Boot file is a system file containing data that can only be viewed properly in the HEX we can use the icat command, inode number, and the hd hex editor to view the data.

$ icat -o63 nps-2008-jean.E01 7 | hd
00000000  eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00  |.R.NTFS    .....|
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 3f 00 00 00  |........?...?...|
00000020  00 00 00 00 80 00 80 00  d8 a6 3f 01 00 00 00 00  |..........?.....|
00000030  00 00 0c 00 00 00 00 00  6d fa 13 00 00 00 00 00  |........m.......|
00000040  f6 00 00 00 01 00 00 00  1f c2 4f 74 08 50 74 7e  |..........Ot.Pt~|
00000050  00 00 00 00 fa 33 c0 8e  d0 bc 00 7c fb b8 c0 07  |.....3.....|....|
00000060  8e d8 e8 16 00 b8 00 0d  8e c0 33 db c6 06 0e 00  |..........3.....|
00000070  10 e8 53 00 68 00 0d 68  6a 02 cb 8a 16 24 00 b4  |..S.h..hj....$..|
00000080  08 cd 13 73 05 b9 ff ff  8a f1 66 0f b6 c6 40 66  |...s......f...@f|
00000090  0f b6 d1 80 e2 3f f7 e2  86 cd c0 ed 06 41 66 0f  |.....?.......Af.|
000000a0  b7 c9 66 f7 e1 66 a3 20  00 c3 b4 41 bb aa 55 8a  |..f..f. ...A..U.|
000000b0  16 24 00 cd 13 72 0f 81  fb 55 aa 75 09 f6 c1 01  |.$...r...U.u....|
000000c0  74 04 fe 06 14 00 c3 66  60 1e 06 66 a1 10 00 66  |t......f`..f...f|
000000d0  03 06 1c 00 66 3b 06 20  00 0f 82 3a 00 1e 66 6a  |....f;. ...:..fj|
000000e0  00 66 50 06 53 66 68 10  00 01 00 80 3e 14 00 00  |.fP.Sfh.....>...|
000000f0  0f 85 0c 00 e8 b3 ff 80  3e 14 00 00 0f 84 61 00  |........>.....a.|
00000100  b4 42 8a 16 24 00 16 1f  8b f4 cd 13 66 58 5b 07  |.B..$.......fX[.|
00000110  66 58 66 58 1f eb 2d 66  33 d2 66 0f b7 0e 18 00  |fXfX..-f3.f.....|
00000120  66 f7 f1 fe c2 8a ca 66  8b d0 66 c1 ea 10 f7 36  |f......f..f....6|
00000130  1a 00 86 d6 8a 16 24 00  8a e8 c0 e4 06 0a cc b8  |......$.........|
00000140  01 02 cd 13 0f 82 19 00  8c c0 05 20 00 8e c0 66  |........... ...f|
00000150  ff 06 10 00 ff 0e 0e 00  0f 85 6f ff 07 1f 66 61  |..........o...fa|
00000160  c3 a0 f8 01 e8 09 00 a0  fb 01 e8 03 00 fb eb fe  |................|
00000170  b4 01 8b f0 ac 3c 00 74  09 b4 0e bb 07 00 cd 10  |.....<.t........|
00000180  eb f2 c3 0d 0a 41 20 64  69 73 6b 20 72 65 61 64  |.....A disk read|
00000190  20 65 72 72 6f 72 20 6f  63 63 75 72 72 65 64 00  | error occurred.|
000001a0  0d 0a 4e 54 4c 44 52 20  69 73 20 6d 69 73 73 69  |..NTLDR is missi|
000001b0  6e 67 00 0d 0a 4e 54 4c  44 52 20 69 73 20 63 6f  |ng...NTLDR is co|
000001c0  6d 70 72 65 73 73 65 64  00 0d 0a 50 72 65 73 73  |mpressed...Press|
000001d0  20 43 74 72 6c 2b 41 6c  74 2b 44 65 6c 20 74 6f  | Ctrl+Alt+Del to|
000001e0  20 72 65 73 74 61 72 74  0d 0a 00 00 00 00 00 00  | restart........|
000001f0  00 00 00 00 00 00 00 00  83 a0 b3 c9 00 00 55 aa  |..............U.|
00000200  05 00 4e 00 54 00 4c 00  44 00 52 00 04 00 24 00  |..N.T.L.D.R...$.|
00000210  49 00 33 00 30 00 00 e0  00 00 00 30 00 00 00 00  |I.3.0......0....|
00000220  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000250  00 00 00 00 00 00 eb 12  90 90 00 00 00 00 00 00  |................|
00000260  00 00 00 00 00 00 00 00  00 00 8c c8 8e d8 c1 e0  |................|
00000270  04 fa 8b e0 fb e8 03 fe  66 0f b7 06 0b 00 66 0f  |........f.....f.|
00000280  b6 1e 0d 00 66 f7 e3 66  a3 4e 02 66 8b 0e 40 00  |....f..f.N.f..@.|
00000290  80 f9 00 0f 8f 0e 00 f6  d9 66 b8 01 00 00 00 66  |.........f.....f|
000002a0  d3 e0 eb 08 90 66 a1 4e  02 66 f7 e1 66 a3 52 02  |.....f.N.f..f.R.|
000002b0  66 0f b7 1e 0b 00 66 33  d2 66 f7 f3 66 a3 56 02  |f.....f3.f..f.V.|
000002c0  e8 71 04 66 8b 0e 4a 02  66 89 0e 22 02 66 03 0e  |.q.f..J.f..".f..|
000002d0  52 02 66 89 0e 26 02 66  03 0e 52 02 66 89 0e 2a  |R.f..&.f..R.f..*|
000002e0  02 66 03 0e 52 02 66 89  0e 3a 02 66 03 0e 52 02  |.f..R.f..:.f..R.|
000002f0  66 89 0e 42 02 66 b8 90  00 00 00 66 8b 0e 22 02  |f..B.f.....f..".|
00000300  e8 5f 09 66 0b c0 0f 84  57 fe 66 a3 2e 02 66 b8  |._.f....W.f...f.|
00000310  a0 00 00 00 66 8b 0e 26  02 e8 46 09 66 a3 32 02  |....f..&..F.f.2.|
00000320  66 b8 b0 00 00 00 66 8b  0e 2a 02 e8 34 09 66 a3  |f.....f..*..4.f.|
00000330  36 02 66 a1 2e 02 66 0b  c0 0f 84 24 fe 67 80 78  |6.f...f....$.g.x|
00000340  08 00 0f 85 1b fe 67 66  8d 50 10 67 03 42 04 67  |......gf.P.g.B.g|
00000350  66 0f b6 48 0c 66 89 0e  62 02 67 66 8b 48 08 66  |f..H.f..b.gf.H.f|
00000360  89 0e 5e 02 66 a1 5e 02  66 0f b7 0e 0b 00 66 33  |..^.f.^.f.....f3|
00000370  d2 66 f7 f1 66 a3 66 02  66 a1 42 02 66 03 06 5e  |.f..f.f.f.B.f..^|
00000380  02 66 a3 46 02 66 83 3e  32 02 00 0f 84 1d 00 66  |.f.F.f.>2......f|
00000390  83 3e 36 02 00 0f 84 c8  fd 66 8b 1e 36 02 1e 07  |.>6......f..6...|
000003a0  66 8b 3e 46 02 66 a1 2a  02 e8 bc 01 66 0f b7 0e  |f.>F.f.*....f...|
000003b0  00 02 66 b8 02 02 00 00  e8 fe 07 66 0b c0 0f 84  |..f........f....|
000003c0  a8 09 67 66 8b 00 1e 07  66 8b 3e 3a 02 e8 31 06  |..gf....f.>:..1.|
000003d0  66 a1 3a 02 66 bb 20 00  00 00 66 b9 00 00 00 00  |f.:.f. ...f.....|
000003e0  66 ba 00 00 00 00 e8 d6  00 66 85 c0 0f 85 23 00  |f........f....#.|
000003f0  66 a1 3a 02 66 bb 80 00  00 00 66 b9 00 00 00 00  |f.:.f.....f.....|
00000400  66 ba 00 00 00 00 e8 b6  00 66 0b c0 0f 85 44 00  |f........f....D.|
00000410  e9 57 09 66 33 d2 66 b9  80 00 00 00 66 a1 3a 02  |.W.f3.f.....f.:.|
00000420  e8 bc 08 66 0b c0 0f 84  40 09 1e 07 66 8b 3e 3a  |...f....@...f.>:|
00000430  02 e8 cd 05 66 a1 3a 02  66 bb 80 00 00 00 66 b9  |....f.:.f.....f.|
00000440  00 00 00 00 66 ba 00 00  00 00 e8 72 00 66 0b c0  |....f......r.f..|
00000450  0f 84 16 09 67 66 0f b7  58 0c 66 81 e3 ff 00 00  |....gf..X.f.....|
00000460  00 0f 85 0b 09 66 8b d8  68 00 20 07 66 2b ff 66  |.....f..h. .f+.f|
00000470  a1 3a 02 e8 f2 00 8a 16  24 00 b8 e8 03 8e c0 8d  |.:......$.......|
00000480  36 0b 00 2b c0 68 00 20  50 cb 06 1e 66 60 66 8b  |6..+.h. P...f`f.|
00000490  da 66 0f b6 0e 0d 00 66  f7 e1 66 a3 10 00 66 8b  |.f.....f..f...f.|
000004a0  c3 66 f7 e1 a3 0e 00 8b  df 83 e3 0f 8c c0 66 c1  |.f............f.|
000004b0  ef 04 03 c7 50 07 e8 0e  fc 66 61 90 1f 07 c3 67  |....P....fa....g|
000004c0  03 40 14 67 66 83 38 ff  0f 84 4c 00 67 66 39 18  |.@.gf.8...L.gf9.|
000004d0  0f 85 33 00 66 0b c9 0f  85 0a 00 67 80 78 09 00  |..3.f......g.x..|
000004e0  0f 85 23 00 c3 67 3a 48  09 0f 85 1a 00 66 8b f0  |..#..g:H.....f..|
000004f0  67 03 70 0a e8 97 06 66  51 1e 07 66 8b fa f3 a7  |g.p....fQ..f....|
00000500  66 59 0f 85 01 00 c3 67  66 83 78 04 00 0f 84 07  |fY.....gf.x.....|
00000510  00 67 66 03 40 04 eb ab  66 2b c0 c3 66 8b f3 e8  |.gf.@...f+..f...|
00000520  6c 06 67 66 03 00 67 f7  40 0c 02 00 0f 85 34 00  |l.gf..g.@.....4.|
00000530  67 66 8d 50 10 67 3a 4a  40 0f 85 18 00 67 66 8d  |gf.P.g:J@....gf.|
00000540  72 42 e8 49 06 66 51 1e  07 66 8b fb f3 a7 66 59  |rB.I.fQ..f....fY|
00000550  0f 85 01 00 c3 67 83 78  08 00 0f 84 06 00 67 03  |.....g.x......g.|
00000560  40 08 eb c2 66 33 c0 c3  67 80 7b 08 00 0f 85 1c  |@...f3..g.{.....|
00000570  00 06 1e 66 60 67 66 8d  53 10 67 66 8b 0a 66 8b  |...f`gf.S.gf..f.|
00000580  f3 67 03 72 04 f3 a4 66  61 90 1f 07 c3 66 50 67  |.g.r...fa....fPg|
00000590  66 8d 53 10 66 85 c0 0f  85 0a 00 67 66 8b 4a 08  |f.S.f......gf.J.|
000005a0  66 41 eb 11 90 67 66 8b  42 18 66 33 d2 66 f7 36  |fA...gf.B.f3.f.6|
000005b0  4e 02 66 8b c8 66 2b c0  66 5e e8 01 00 c3 06 1e  |N.f..f+.f^......|
000005c0  66 60 67 80 7b 08 01 0f  84 03 00 e9 93 fb 66 83  |f`g.{.........f.|
000005d0  f9 00 0f 85 06 00 66 61  90 1f 07 c3 66 53 66 50  |......fa....fSfP|
000005e0  66 51 66 56 66 57 06 e8  91 04 66 8b d1 07 66 5f  |fQfVfW....f...f_|
000005f0  66 5e 66 59 66 85 c0 0f  84 34 00 66 3b ca 0f 8d  |f^fYf....4.f;...|
00000600  03 00 66 8b d1 e8 82 fe  66 2b ca 66 8b da 66 8b  |..f.....f+.f..f.|
00000610  c2 66 0f b6 16 0d 00 66  f7 e2 66 0f b7 16 0b 00  |.f.....f..f.....|
00000620  66 f7 e2 66 03 f8 66 58  66 03 c3 66 5b eb 9f 66  |f..f..fXf..f[..f|
00000630  85 f6 0f 84 2b fb 66 51  66 57 06 67 66 0f b6 43  |....+.fQfW.gf..C|
00000640  09 66 85 c0 0f 84 20 00  66 d1 e0 66 2b e0 66 8b  |.f.... .f..f+.f.|
00000650  fc 66 54 66 56 67 66 0f  b7 73 0a 66 03 f3 66 8b  |.fTfVgf..s.f..f.|
00000660  c8 f3 a4 66 5e eb 03 90  66 50 66 50 67 66 8b 03  |...f^...fPfPgf..|
00000670  66 50 67 66 8b 43 18 66  50 67 66 8b 56 20 66 85  |fPgf.C.fPgf.V f.|
00000680  d2 0f 84 0b 00 66 8b fe  1e 07 66 8b c2 e8 71 03  |.....f....f...q.|
00000690  66 8b c6 66 5a 66 59 66  42 66 51 66 56 e8 3f 06  |f..fZfYfBfQfV.?.|
000006a0  66 85 c0 0f 84 ba fa 66  5e 66 59 66 8b fe 1e 07  |f......f^fYf....|
000006b0  e8 4e 03 66 8b c6 66 8b  d9 66 59 66 5a 66 51 66  |.N.f..f..fYfZfQf|
000006c0  56 66 d1 e9 e8 f8 fd 66  85 c0 0f 84 93 fa 66 5e  |Vf.....f......f^|
000006d0  66 59 66 03 e1 07 66 5f  66 59 66 8b d0 66 58 66  |fYf...f_fYf..fXf|
000006e0  5b 66 8b da e9 f5 fe 06  1e 66 60 26 67 66 0f b7  |[f.......f`&gf..|
000006f0  5f 04 26 67 66 0f b7 4f  06 66 0b c9 0f 84 61 fa  |_.&gf..O.f....a.|
00000700  66 03 df 66 83 c3 02 66  81 c7 fe 01 00 00 66 49  |f..f...f......fI|
00000710  66 0b c9 0f 84 17 00 26  67 8b 03 26 67 89 07 66  |f......&g..&g..f|
00000720  83 c3 02 66 81 c7 00 02  00 00 66 49 eb e2 66 61  |...f......fI..fa|
00000730  90 1f 07 c3 06 1e 66 60  66 b8 01 00 00 00 66 a3  |......f`f.....f.|
00000740  1e 02 66 a1 1a 02 66 03  06 52 02 66 a3 5a 02 66  |..f...f..R.f.Z.f|
00000750  03 06 52 02 66 a3 4a 02  66 a1 30 00 66 0f b6 1e  |..R.f.J.f.0.f...|
00000760  0d 00 66 f7 e3 66 8b 1e  4a 02 66 89 07 66 a3 10  |..f..f..J.f..f..|
00000770  00 83 c3 04 66 a1 56 02  66 89 07 a3 0e 00 83 c3  |....f.V.f.......|
00000780  04 66 89 1e 4a 02 66 8b  1e 1a 02 1e 07 e8 37 f9  |.f..J.f.......7.|
00000790  66 8b fb e8 51 ff 66 a1  1a 02 66 bb 20 00 00 00  |f...Q.f...f. ...|
000007a0  66 b9 00 00 00 00 66 ba  00 00 00 00 e8 10 fd 66  |f.....f........f|
000007b0  0b c0 0f 84 19 01 66 8b  d8 1e 07 66 8b 3e 16 02  |......f....f.>..|
000007c0  66 33 c0 e8 a2 fd 66 8b  1e 16 02 66 81 3f 80 00  |f3....f....f.?..|
000007d0  00 00 0f 84 eb 00 03 5f  04 eb f0 66 53 66 8b 47  |......._...fSf.G|
000007e0  10 66 f7 26 56 02 66 50  66 33 d2 66 0f b6 1e 0d  |.f.&V.fPf3.f....|
000007f0  00 66 f7 f3 66 52 e8 dc  00 66 0b c0 0f 84 61 f9  |.f..fR...f....a.|
00000800  66 8b 0e 56 02 66 0f b6  1e 0d 00 66 f7 e3 66 5a  |f..V.f.....f..fZ|
00000810  66 03 c2 66 8b 1e 4a 02  66 89 07 83 c3 04 66 0f  |f..f..J.f.....f.|
00000820  b6 06 0d 00 66 2b c2 66  3b c1 0f 86 03 00 66 8b  |....f+.f;.....f.|
00000830  c1 66 89 07 66 2b c8 66  5a 0f 84 75 00 66 03 c2  |.f..f+.fZ..u.f..|
00000840  66 50 66 33 d2 66 0f b6  1e 0d 00 66 f7 f3 66 51  |fPf3.f.....f..fQ|
00000850  e8 82 00 66 59 66 0b c0  0f 84 05 f9 66 0f b6 1e  |...fYf......f...|
00000860  0d 00 66 f7 e3 66 8b 1e  4a 02 66 8b 17 83 c3 04  |..f..f..J.f.....|
00000870  66 03 17 66 3b d0 0f 85  15 00 66 0f b6 06 0d 00  |f..f;.....f.....|
00000880  66 3b c1 0f 86 03 00 66  8b c1 66 01 07 eb a5 83  |f;.....f..f.....|
00000890  c3 04 66 89 1e 4a 02 66  89 07 83 c3 04 66 0f b6  |..f..J.f.....f..|
000008a0  06 0d 00 66 3b c1 0f 86  03 00 66 8b c1 66 89 07  |...f;.....f..f..|
000008b0  eb 82 83 c3 04 66 ff 06  1e 02 66 89 1e 4a 02 66  |.....f....f..J.f|
000008c0  5b 03 5f 04 66 81 3f 80  00 00 00 0f 84 0c ff 66  |[._.f.?........f|
000008d0  61 90 1f 07 c3 66 8b d0  66 8b 0e 1e 02 66 8b 36  |a....f..f....f.6|
000008e0  5a 02 66 03 36 52 02 66  52 66 51 66 52 66 8b 1e  |Z.f.6R.fRfQfRf..|
000008f0  5a 02 66 8b 3e 56 02 66  8b 04 66 a3 10 00 83 c6  |Z.f.>V.f..f.....|
00000900  04 66 8b 04 a3 0e 00 83  c6 04 1e 07 e8 b8 f7 66  |.f.............f|
00000910  2b f8 0f 84 08 00 f7 26  0b 00 03 d8 eb d9 66 8b  |+......&......f.|
00000920  3e 5a 02 1e 07 e8 bf fd  66 a1 5a 02 66 bb 80 00  |>Z......f.Z.f...|
00000930  00 00 66 b9 00 00 00 00  66 8b d1 e8 81 fb 66 0b  |..f.....f.....f.|
00000940  c0 0f 84 1c f8 66 8b d8  66 58 66 56 e8 2c 01 66  |.....f..fXfV.,.f|
00000950  5e 66 0b c0 0f 84 05 00  66 5b 66 5b c3 66 59 66  |^f......f[f[.fYf|
00000960  5a e2 84 66 33 c0 c3 06  1e 66 60 66 50 66 51 66  |Z..f3....f`fPfQf|
00000970  33 d2 66 0f b6 1e 0d 00  66 f7 f3 66 52 66 57 e8  |3.f.....f..fRfW.|
00000980  53 ff 66 5f 66 0b c0 0f  84 d6 f7 66 0f b6 1e 0d  |S.f_f......f....|
00000990  00 66 f7 e3 66 5a 66 03  c2 66 a3 10 00 66 59 66  |.f..fZf..f...fYf|
000009a0  0f b6 1e 0d 00 66 3b cb  0f 8e 13 00 89 1e 0e 00  |.....f;.........|
000009b0  66 2b cb 66 58 66 03 c3  66 50 66 51 eb 14 90 66  |f+.fXf..fPfQ...f|
000009c0  58 66 03 c1 66 50 89 0e  0e 00 66 b9 00 00 00 00  |Xf..fP....f.....|
000009d0  66 51 06 66 57 8b df 83  e3 0f 8c c0 66 c1 ef 04  |fQ.fW.......f...|
000009e0  03 c7 50 07 e8 e0 f6 66  5f 07 66 03 3e 4e 02 66  |..P....f_.f.>N.f|
000009f0  59 66 58 66 83 f9 00 0f  8f 70 ff 66 61 90 1f 07  |YfXf.....p.fa...|
00000a00  c3 06 1e 66 60 66 f7 26  56 02 66 8b 0e 56 02 e8  |...f`f.&V.f..V..|
00000a10  55 ff e8 d2 fc 66 61 90  1f 07 c3 06 1e 66 60 66  |U....fa......f`f|
00000a20  f7 26 62 02 66 8b 1e 32  02 66 8b 0e 62 02 66 8b  |.&b.f..2.f..b.f.|
00000a30  36 26 02 1e 07 66 8b 3e  42 02 e8 81 fb e8 a7 fc  |6&...f.>B.......|
00000a40  66 61 90 1f 07 c3 66 50  66 53 66 51 66 8b 1e 46  |fa....fPfSfQf..F|
00000a50  02 66 8b c8 66 c1 e8 03  66 83 e1 07 66 03 d8 66  |.f..f...f...f..f|
00000a60  b8 01 00 00 00 66 d3 e0  67 84 03 0f 84 04 00 f8  |.....f..g.......|
00000a70  eb 02 90 f9 66 59 66 5b  66 58 c3 67 80 7b 08 01  |....fYf[fX.g.{..|
00000a80  0f 84 04 00 66 2b c0 c3  67 66 8d 73 10 67 66 8b  |....f+..gf.s.gf.|
00000a90  56 08 66 3b c2 0f 87 0b  00 67 66 8b 16 66 3b c2  |V.f;.....gf..f;.|
00000aa0  0f 83 04 00 66 2b c0 c3  67 03 5e 10 66 2b f6 67  |....f+..g.^.f+.g|
00000ab0  80 3b 00 0f 84 3e 00 e8  81 00 66 03 f1 e8 39 00  |.;...>....f...9.|
00000ac0  66 03 ca 66 3b c1 0f 8c  21 00 66 8b d1 66 50 67  |f..f;...!.f..fPg|
00000ad0  66 0f b6 0b 66 8b c1 66  83 e0 0f 66 c1 e9 04 66  |f...f..f...f...f|
00000ae0  03 d9 66 03 d8 66 43 66  58 eb c4 66 2b c8 66 2b  |..f..fCfX..f+.f+|
00000af0  c2 66 03 c6 c3 66 2b c0  c3 66 2b c9 67 8a 0b 80  |.f...f+..f+.g...|
00000b00  e1 0f 66 83 f9 00 0f 85  04 00 66 2b c9 c3 66 53  |..f.......f+..fS|
00000b10  66 52 66 03 d9 67 66 0f  be 13 66 49 66 4b 66 83  |fRf..gf...fIfKf.|
00000b20  f9 00 0f 84 0d 00 66 c1  e2 08 67 8a 13 66 4b 66  |......f...g..fKf|
00000b30  49 eb eb 66 8b ca 66 5a  66 5b c3 66 53 66 52 66  |I..f..fZf[.fSfRf|
00000b40  2b d2 67 8a 13 66 83 e2  0f 66 2b c9 67 8a 0b c0  |+.g..f...f+.g...|
00000b50  e9 04 66 83 f9 00 0f 85  08 00 66 2b c9 66 5a 66  |..f.......f+.fZf|
00000b60  5b c3 66 03 da 66 03 d9  67 66 0f be 13 66 49 66  |[.f..f..gf...fIf|
00000b70  4b 66 83 f9 00 0f 84 0d  00 66 c1 e2 08 67 8a 13  |Kf.......f...g..|
00000b80  66 4b 66 49 eb eb 66 8b  ca 66 5a 66 5b c3 66 0b  |fKfI..f..fZf[.f.|
00000b90  c9 0f 85 01 00 c3 66 51  66 56 67 83 3e 61 0f 8c  |......fQfVg.>a..|
00000ba0  0c 00 67 83 3e 7a 0f 8f  04 00 67 83 2e 20 66 83  |..g.>z....g.. f.|
00000bb0  c6 02 e2 e6 66 5e 66 59  c3 66 50 66 51 66 8b d0  |....f^fY.fPfQf..|
00000bc0  66 a1 2e 02 67 66 8d 58  10 67 03 43 04 67 66 8d  |f...gf.X.g.C.gf.|
00000bd0  40 10 66 8b da e8 44 f9  66 0b c0 0f 84 05 00 66  |@.f...D.f......f|
00000be0  59 66 59 c3 66 a1 32 02  66 0b c0 0f 85 08 00 66  |YfY.f.2.f......f|
00000bf0  59 66 59 66 33 c0 c3 66  8b 16 32 02 67 66 8d 52  |YfYf3..f..2.gf.R|
00000c00  10 67 66 8b 42 18 66 33  d2 66 f7 36 5e 02 66 33  |.gf.B.f3.f.6^.f3|
00000c10  f6 66 50 66 56 66 58 66  5e 66 3b c6 0f 84 3a 00  |.fPfVfXf^f;...:.|
00000c20  66 56 66 40 66 50 66 48  e8 1b fe 72 e8 e8 eb fd  |fVf@fPfH...r....|
00000c30  66 5a 66 5e 66 59 66 5b  66 53 66 51 66 56 66 52  |fZf^fYf[fSfQfVfR|
00000c40  66 a1 42 02 67 66 8d 40  18 e8 d0 f8 66 0b c0 74  |f.B.gf.@....f..t|
00000c50  c4 66 59 66 59 66 59 66  59 c3 66 59 66 59 66 33  |.fYfYfYfY.fYfYf3|
00000c60  c0 c3 66 51 66 50 66 b8  05 00 00 00 1e 07 66 8b  |..fQfPf.......f.|
00000c70  f9 e8 8d fd 66 8b c1 66  bb 20 00 00 00 66 b9 00  |....f..f. ...f..|
00000c80  00 00 00 66 ba 00 00 00  00 e8 33 f8 66 5b 66 59  |...f......3.f[fY|
00000c90  66 85 c0 0f 85 15 00 66  8b c1 66 0f b7 0e 0c 02  |f......f..f.....|
00000ca0  66 ba 0e 02 00 00 e8 16  f8 eb 33 90 66 33 d2 66  |f.........3.f3.f|
00000cb0  8b c1 66 8b cb 66 50 66  53 e8 23 00 66 5b 66 5f  |..f..fPfS.#.f[f_|
00000cc0  66 0b c0 0f 84 17 00 1e  07 e8 35 fd 66 8b c7 66  |f.........5.f..f|
00000cd0  0f b7 0e 0c 02 66 ba 0e  02 00 00 e8 e1 f7 c3 66  |.....f.........f|
00000ce0  52 66 51 66 bb 20 00 00  00 66 b9 00 00 00 00 66  |RfQf. ...f.....f|
00000cf0  ba 00 00 00 00 e8 c7 f7  66 0b c0 0f 84 63 00 66  |........f....c.f|
00000d00  8b d8 1e 07 66 8b 3e 16  02 66 33 c0 e8 59 f8 1e  |....f.>..f3..Y..|
00000d10  07 66 8b 1e 16 02 66 59  66 5a 26 66 39 0f 0f 85  |.f....fYfZ&f9...|
00000d20  0c 00 26 66 39 57 08 0f  84 31 00 eb 13 90 26 66  |..&f9W...1....&f|
00000d30  83 3f ff 0f 84 2f 00 26  83 7f 04 00 0f 84 26 00  |.?.../.&......&.|
00000d40  26 66 0f b7 47 04 03 d8  8b c3 25 00 80 74 cb 8c  |&f..G.....%..t..|
00000d50  c0 05 00 08 8e c0 81 e3  ff 7f eb be 26 66 8b 47  |............&f.G|
00000d60  10 c3 66 59 66 5a 66 33  c0 c3 a0 f9 01 e9 f4 f3  |..fYfZf3........|
00000d70  a0 fa 01 e9 ee f3 00 00  00 00 00 00 00 00 00 00  |................|
00000d80  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00002000

What you are actually looking at is the Volume Boot Record for this NTFS volume.  We are also seeing some of the bootstrap code.  If you are interested in parsing out the Volume Boot Record you can go here.

We will look at some other options with the fls in future posts.  Enjoy