Avoiding Atrophy Forensics: Continuing With Volumes

We are going to continue where we left off in the last post so lets look at the partition table for the nps-2008-jean.E01 file again.

$ mmls -B nps-2008-jean.E01

DOS Partition Table

Offset Sector: 0

Units are in 512-byte sectors

Slot Start End Length Size Description

00: Meta 0000000000 0000000000 0000000001 0512B Primary Table (#0)

01: ----- 0000000000 0000000062 0000000063 0031K Unallocated

02: 00:00 0000000063 0020948759 0020948697 0009G NTFS (0x07)

03: ----- 0020948760 0020971519 0000022760 0011M Unallocated

We can see a few things here that may be of importance to us. One thing to note is that we can see the table split in to four sections starting at 00 and ending with 03. Right now we don't know what each section is except for the obvious, that in slot 02 we have the primary NTFS partition containing the user content. So lets take a look at the contents of the other slots. We can do this using the mmcat command.

$ mmcat nps-2008-jean.E01 00

3��|�PP |� PW�� ˽�� 8n| u �� It 8,t��<t�� N �Fs*�F �~

�~

t��uҀF � �V

�!s��뼁>�}U�t

�~ tȠ�멋� W��˿�V� r#��$?��ފ�C��цֱ ��B��9V

w#r9s � �|�N �V� sQOtN2��V� ��V`��U�A� r6��U�u0�� t+a`jj�v

�jh|j j �B�� aasOt

2��V� ��a��Invalid partition tableError loading operating systemMissing operating system,Dc�9�9� ��?٦? U�

So this output is just raw data and not very friendly. Where you see the "�" you are actually seeing a character that can't be displayed by your terminal. One thing about this command is that the 00 located at the end of the command is referencing the slot number. But we don't want to view the raw data so lets use our linux pipe "|" to send the output into a hex editor like this.

$ mmcat nps-2008-jean.E01 00 | hd

00000000 33 c0 8e d0 bc 00 7c fb 50 07 50 1f fc be 1b 7c |3.....|.P.P....||

00000010 bf 1b 06 50 57 b9 e5 01 f3 a4 cb bd be 07 b1 04 |...PW...........|

00000020 38 6e 00 7c 09 75 13 83 c5 10 e2 f4 cd 18 8b f5 |8n.|.u..........|

00000030 83 c6 10 49 74 19 38 2c 74 f6 a0 b5 07 b4 07 8b |...It.8,t.......|

00000040 f0 ac 3c 00 74 fc bb 07 00 b4 0e cd 10 eb f2 88 |..<.t...........|

00000050 4e 10 e8 46 00 73 2a fe 46 10 80 7e 04 0b 74 0b |N..F.s*.F..~..t.|

00000060 80 7e 04 0c 74 05 a0 b6 07 75 d2 80 46 02 06 83 |.~..t....u..F...|

00000070 46 08 06 83 56 0a 00 e8 21 00 73 05 a0 b6 07 eb |F...V...!.s.....|

00000080 bc 81 3e fe 7d 55 aa 74 0b 80 7e 10 00 74 c8 a0 |..>.}U.t..~..t..|

00000090 b7 07 eb a9 8b fc 1e 57 8b f5 cb bf 05 00 8a 56 |.......W.......V|

000000a0 00 b4 08 cd 13 72 23 8a c1 24 3f 98 8a de 8a fc |.....r#..$?.....|

000000b0 43 f7 e3 8b d1 86 d6 b1 06 d2 ee 42 f7 e2 39 56 |C..........B..9V|

000000c0 0a 77 23 72 05 39 46 08 73 1c b8 01 02 bb 00 7c |.w#r.9F.s......||

000000d0 8b 4e 02 8b 56 00 cd 13 73 51 4f 74 4e 32 e4 8a |.N..V...sQOtN2..|

000000e0 56 00 cd 13 eb e4 8a 56 00 60 bb aa 55 b4 41 cd |V......V.`..U.A.|

000000f0 13 72 36 81 fb 55 aa 75 30 f6 c1 01 74 2b 61 60 |.r6..U.u0...t+a`|

00000100 6a 00 6a 00 ff 76 0a ff 76 08 6a 00 68 00 7c 6a |j.j..v..v.j.h.|j|

00000110 01 6a 10 b4 42 8b f4 cd 13 61 61 73 0e 4f 74 0b |.j..B....aas.Ot.|

00000120 32 e4 8a 56 00 cd 13 eb d6 61 f9 c3 49 6e 76 61 |2..V.....a..Inva|

00000130 6c 69 64 20 70 61 72 74 69 74 69 6f 6e 20 74 61 |lid partition ta|

00000140 62 6c 65 00 45 72 72 6f 72 20 6c 6f 61 64 69 6e |ble.Error loadin|

00000150 67 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 |g operating syst|

00000160 65 6d 00 4d 69 73 73 69 6e 67 20 6f 70 65 72 61 |em.Missing opera|

00000170 74 69 6e 67 20 73 79 73 74 65 6d 00 00 00 00 00 |ting system.....|

00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

000001b0 00 00 00 00 00 2c 44 63 be 39 bf 39 00 00 80 01 |.....,Dc.9.9....|

000001c0 01 00 07 fe ff ff 3f 00 00 00 d9 a6 3f 01 00 00 |......?.....?...|

000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|

00000200

Congratulations, you just viewed the raw hex for the Master Boot Record of this image file. When looking at a hex editor the column on the left is the address. It shows the location of the first byte of the corresponding line. The middle section is the line containing the raw hex. You can learn how to interpret raw hex here. Finally, teh section on the right is the hex for each byte decoded in ANSI.

I'm not going to get into the details of manually parsing out the master boot record but understand that the mmls command we used at the beginning of this post is simply parsing out the data for us. We know this is the MBR because all Master Boot Records contain the "Invalid partition table.Error loading operating system.Missing operating system" at the byte offset of 140.

It is also important to note that the hd hex editor that we are using to view this data hides irrelevant data. The lines beginning with the * is actually a series of lines containing only 00. If you are curious how to parse out an MBR manually you can find that information here.

Now lets take a quick look at the two unallocated slots to see if there is any data contained in these void spaces not being utilized by the MBR or NTFS file system we are seeing.

$ mmcat nps-2008-jean.E01 01 | hd