How can I possibly try to out-do the great diary Rob posted? I can't so I'm not even going to try. Instead, and because it's been sl .. err, qu ... err ... not particularly eventful, not that we're superstitious or anything, here is a quick forensic challenge for everyone. The first person to correctly identify this and tell me the three things that are wrong will win fame, fortune, the undying admiration of everyone who visits us and, best of all .. a ISC sticker! ;)
Christopher Carboni - Handler On Duty - isc dot chris at gmail dot com |
Chris 140 Posts Sep 23rd 2010 |
Thread locked Subscribe |
Sep 23rd 2010 1 decade ago |
To get people started : it is a NTFS partition boot sector :)
|
Anonymous |
Quote |
Sep 23rd 2010 1 decade ago |
It's the contents from the MBR
|
Anonymous |
Quote |
Sep 23rd 2010 1 decade ago |
It's either compressed, corrupted or infected or all 3 :p
|
Anonymous |
Quote |
Sep 23rd 2010 1 decade ago |
A disk read error occurred
BOOTMGR is missing BOOTMGR is compressed Press Ctrl+Alt+Del to restart |
Anonymous |
Quote |
Sep 23rd 2010 1 decade ago |
For one thing it looks like the MBR signature is missing...
|
Joe 2 Posts |
Quote |
Sep 23rd 2010 1 decade ago |
it can be a:
1) multiple os mbr problem 2) mbr sector hardware failure 3) rootkit on mbr |
Joe 2 Posts |
Quote |
Sep 23rd 2010 1 decade ago |
to save some time I bet you could load this into encase and bookmark the area as an MBR to parse the data.. that is if one had the time to do anything ;)
|
Joe 2 Posts |
Quote |
Sep 23rd 2010 1 decade ago |
As has been mentioned it is a NTFS boot sector.
There appears to be some corruption starting around 0x1bf. Sectors per track seems odd as does the number of heads. |
Anonymous |
Quote |
Sep 23rd 2010 1 decade ago |
You're going to get this in bits and pieces.
There is supposed to be something besides \x00's at 0000001F8 for example, 80 9d b2 ca 00 00 55 aa -manichattan |
Anonymous |
Quote |
Sep 23rd 2010 1 decade ago |
change in two bytes in bootstrap code at offsets 0x56 & 0x57
so it becomes, cli xor bx, bx rcl ax, cl instead of, cli xor ax, ax mov ss, ax this leaves 3 registers to be unknown, 1. ss is unknown (we want it zeroed, so that Stack Pointer would be 0000:7C00) 2. ax (al) 3. cf (rcl affects carry flag) |
Anonymous |
Quote |
Sep 23rd 2010 1 decade ago |
It is a Microsoft ntfs volume boot record.
Missing are: - Magic bytes AA55h at 01FE - Message Offset bytes at 01F8: eg. 83 A0 B3 C9 - bytes at 001C to reserve sectors |
Anonymous |
Quote |
Sep 23rd 2010 1 decade ago |
instead of saying "BOOTMGR is compressed" it says
"BOOTMGR is res comsed" with the alterations starting at 0000001BF as @fs2 said above. -- manichattan |
Anonymous |
Quote |
Sep 23rd 2010 1 decade ago |
heh! just realized i mixed up binaries... and ended up adding incorrect comment. please ignore.
|
Anonymous |
Quote |
Sep 23rd 2010 1 decade ago |
and I confused \x20 with \x02. instead of a space character, there is a "start of text" character. "res\x02comsed" ??? -- manichattan |
Anonymous |
Quote |
Sep 23rd 2010 1 decade ago |
If this is the first sector of the drive, then that is the problem itself. The first sector should include this:
00000180 fe 47 52 55 42 20 00 47 65 6f 6d 00 48 61 72 64 |.GRUB .Geom.Hard| ;) |
Anonymous |
Quote |
Sep 24th 2010 1 decade ago |
It's a ntfs mbr dump with the missing magic bytes 0x55 0xaa at the end. The words at offset 0x18 and offset 0x1a which are representing the number of Sectors Per Track and the Number Of Heads respectively must be 0x3f00 and 0xff00 as in fat16 and fat32 volumes.
Additionally, the dword at offset 0x1c represents the number of Hidden Sectors and is generally different from 0x00000000 as in the dump (0x00b05301 on win7 for me, but generally 0x00000800) unless the disk where the dump is from isn't partionned at all (according to ms specs). Finally the fours bytes located at offset 0x1f8 to 0x1fc must be different from 0x00. They are offsets used by the code in the bootstrap to locate the error strings messages to be displayed where nasty things happens, like in the following code snippet from the disassembled bootstrap code in the dump: seg000:7D5F loc_7D5F: ; CODE XREF: seg000:loc_7C8Aj seg000:7D5F ; sub_7D12+33j seg000:7D5F mov al, ds:1F8h seg000:7D62 call sub_7D6D seg000:7D65 mov al, ds:1FBh seg000:7D68 call sub_7D6D At ds:1F8h should be the offset to the zero-terminated string which will be displayed by the sub_7D6D subroutine using the int 0x10 interrupt (bios handled interrupt to print characters on the screen): seg000:7D6D seg000:7D6D seg000:7D6D sub_7D6D proc near ; CODE XREF: sub_7D12+50p seg000:7D6D ; sub_7D12+56p seg000:7D6D mov ah, 1 seg000:7D6F mov si, ax seg000:7D71 seg000:7D71 loc_7D71: ; CODE XREF: sub_7D6D+10j seg000:7D71 lodsb seg000:7D72 cmp al, 0 seg000:7D74 jz short locret_7D7F seg000:7D76 mov ah, 0Eh seg000:7D78 mov bx, 7 seg000:7D7B int 10h ; - VIDEO - WRITE CHARACTER AND ADVANCE CURSOR (TTY WRITE) seg000:7D7B ; AL = character, BH = display page (alpha modes) seg000:7D7B ; BL = foreground color (graphics modes) seg000:7D7D jmp short loc_7D71 seg000:7D7F ; --------------------------------------------------------------------------- seg000:7D7F seg000:7D7F locret_7D7F: ; CODE XREF: sub_7D6D+7j seg000:7D7F retn seg000:7D7F sub_7D6D endp - teach |
Anonymous |
Quote |
Sep 24th 2010 1 decade ago |
fat converted to NTFS ?
|
Anonymous |
Quote |
Sep 24th 2010 1 decade ago |
0x18h 1 sector per track
0x1Ah 1 head 0x28h 0xFFFDFF0000000000h Total sectors There is only one sector per track, so with the total sectors that means a lot of tracks. And there is only 1 head. That is a big platter. The text starting at 0x1BFh and ending at 0x1C5h is changed and should 0x636F6D70726573h (ASCII text: compres). 0x1F8h through 0x1FBH does not contain a first partition entry |
Anonymous |
Quote |
Sep 24th 2010 1 decade ago |
The following string is invalid "BOOTMGR is rescomsed"
|
Anonymous |
Quote |
Sep 24th 2010 1 decade ago |
Carry is not correct, but is on the right track (pun intended) for one of the problems.
|
Chris 140 Posts |
Quote |
Sep 24th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!