Quick Forensic Challenge - SANS Internet Storm Center

Quick Forensic Challenge
How can I possibly try to out-do the great diary Rob posted? I can't so I'm not even going to try. Instead, and because it's been sl .. err, qu ... err ... not particularly eventful, not that we're superstitious or anything, here is a quick forensic challenge for everyone. The first person to correctly identify this and tell me the three things that are wrong will win fame, fortune, the undying admiration of everyone who visits us and, best of all .. a ISC sticker! ;) 000000000 EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 000000010 00 00 00 00 00 F8 00 00 01 00 01 00 00 00 00 00 000000020 00 00 00 00 80 00 80 00 FF FD FF 00 00 00 00 00 000000030 00 00 0C 00 00 00 00 00 DF FF 0F 00 00 00 00 00 000000040 F6 00 00 00 01 00 00 00 01 8A F4 BC D1 F4 BC FA 000000050 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB 68 C0 07 000000060 1F 1E 68 66 00 CB 88 16 0E 00 66 81 3E 03 00 4E 000000070 54 46 53 75 15 B4 41 BB AA 55 CD 13 72 0C 81 FB 000000080 55 AA 75 06 F7 C1 01 00 75 03 E9 D2 00 1E 83 EC 000000090 18 68 1A 00 B4 48 8A 16 0E 00 8B F4 16 1F CD 13 0000000A0 9F 83 C4 18 9E 58 1F 72 E1 3B 06 0B 00 75 DB A3 0000000B0 0F 00 C1 2E 0F 00 04 1E 5A 33 DB B9 00 20 2B C8 0000000C0 66 FF 06 11 00 03 16 0F 00 8E C2 FF 06 16 00 E8 0000000D0 40 00 2B C8 77 EF B8 00 BB CD 1A 66 23 C0 75 2D 0000000E0 66 81 FB 54 43 50 41 75 24 81 F9 02 01 72 1E 16 0000000F0 68 07 BB 16 68 70 0E 16 68 09 00 66 53 66 53 66 000000100 55 16 16 16 68 B8 01 66 61 0E 07 CD 1A E9 6A 01 000000110 90 90 66 60 1E 06 66 A1 11 00 66 03 06 1C 00 1E 000000120 66 68 00 00 00 00 66 50 06 53 68 01 00 68 10 00 000000130 B4 42 8A 16 0E 00 16 1F 8B F4 CD 13 66 59 5B 5A 000000140 66 59 66 59 1F 0F 82 16 00 66 FF 06 11 00 03 16 000000150 0F 00 8E C2 FF 0E 16 00 75 BC 07 1F 66 61 C3 A0 000000160 F8 01 E8 08 00 A0 FB 01 E8 02 00 EB FE B4 01 8B 000000170 F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10 EB F2 C3 000000180 0D 0A 41 20 64 69 73 6B 20 72 65 61 64 20 65 72 000000190 72 6F 72 20 6F 63 63 75 72 72 65 64 00 0D 0A 42 0000001A0 4F 4F 54 4D 47 52 20 69 73 20 6D 69 73 73 69 6E 0000001B0 67 00 0D 0A 42 4F 4F 54 4D 47 52 20 69 73 20 72 0000001C0 65 73 02 63 6F 6D 73 65 64 00 0D 0A 50 72 65 73 0000001D0 73 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 0000001E0 6F 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 0000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Christopher Carboni - Handler On Duty - isc dot chris at gmail dot com	Chris 140 Posts
Reply Subscribe	Sep 23rd 2010 8 years ago
To get people started : it is a NTFS partition boot sector :)	Anonymous
Reply Quote	Sep 23rd 2010 8 years ago
It's the contents from the MBR	Anonymous
Reply Quote	Sep 23rd 2010 8 years ago
It's either compressed, corrupted or infected or all 3 :p	Anonymous
Reply Quote	Sep 23rd 2010 8 years ago
A disk read error occurred BOOTMGR is missing BOOTMGR is compressed Press Ctrl+Alt+Del to restart	Anonymous
Reply Quote	Sep 23rd 2010 8 years ago
For one thing it looks like the MBR signature is missing...	Joe 2 Posts
Reply Quote	Sep 23rd 2010 8 years ago
it can be a: 1) multiple os mbr problem 2) mbr sector hardware failure 3) rootkit on mbr	Joe 2 Posts
Reply Quote	Sep 23rd 2010 8 years ago
to save some time I bet you could load this into encase and bookmark the area as an MBR to parse the data.. that is if one had the time to do anything ;)	Joe 2 Posts
Reply Quote	Sep 23rd 2010 8 years ago
As has been mentioned it is a NTFS boot sector. There appears to be some corruption starting around 0x1bf. Sectors per track seems odd as does the number of heads.	Anonymous
Reply Quote	Sep 23rd 2010 8 years ago
You're going to get this in bits and pieces. There is supposed to be something besides \x00's at 0000001F8 for example, 80 9d b2 ca 00 00 55 aa -manichattan	Anonymous
Reply Quote	Sep 23rd 2010 8 years ago
change in two bytes in bootstrap code at offsets 0x56 & 0x57 so it becomes, cli xor bx, bx rcl ax, cl instead of, cli xor ax, ax mov ss, ax this leaves 3 registers to be unknown, 1. ss is unknown (we want it zeroed, so that Stack Pointer would be 0000:7C00) 2. ax (al) 3. cf (rcl affects carry flag)	Anonymous
Reply Quote	Sep 23rd 2010 8 years ago
It is a Microsoft ntfs volume boot record. Missing are: - Magic bytes AA55h at 01FE - Message Offset bytes at 01F8: eg. 83 A0 B3 C9 - bytes at 001C to reserve sectors	Anonymous
Reply Quote	Sep 23rd 2010 8 years ago
instead of saying "BOOTMGR is compressed" it says "BOOTMGR is res comsed" with the alterations starting at 0000001BF as @fs2 said above. -- manichattan	Anonymous
Reply Quote	Sep 23rd 2010 8 years ago
heh! just realized i mixed up binaries... and ended up adding incorrect comment. please ignore.	Anonymous
Reply Quote	Sep 23rd 2010 8 years ago
and I confused \x20 with \x02. instead of a space character, there is a "start of text" character. "res\x02comsed" ??? -- manichattan	Anonymous
Reply Quote	Sep 23rd 2010 8 years ago
If this is the first sector of the drive, then that is the problem itself. The first sector should include this: 00000180 fe 47 52 55 42 20 00 47 65 6f 6d 00 48 61 72 64 \|.GRUB .Geom.Hard\| ;)	Anonymous
Reply Quote	Sep 24th 2010 8 years ago
It's a ntfs mbr dump with the missing magic bytes 0x55 0xaa at the end. The words at offset 0x18 and offset 0x1a which are representing the number of Sectors Per Track and the Number Of Heads respectively must be 0x3f00 and 0xff00 as in fat16 and fat32 volumes. Additionally, the dword at offset 0x1c represents the number of Hidden Sectors and is generally different from 0x00000000 as in the dump (0x00b05301 on win7 for me, but generally 0x00000800) unless the disk where the dump is from isn't partionned at all (according to ms specs). Finally the fours bytes located at offset 0x1f8 to 0x1fc must be different from 0x00. They are offsets used by the code in the bootstrap to locate the error strings messages to be displayed where nasty things happens, like in the following code snippet from the disassembled bootstrap code in the dump: seg000:7D5F loc_7D5F: ; CODE XREF: seg000:loc_7C8Aj seg000:7D5F ; sub_7D12+33j seg000:7D5F mov al, ds:1F8h seg000:7D62 call sub_7D6D seg000:7D65 mov al, ds:1FBh seg000:7D68 call sub_7D6D At ds:1F8h should be the offset to the zero-terminated string which will be displayed by the sub_7D6D subroutine using the int 0x10 interrupt (bios handled interrupt to print characters on the screen): seg000:7D6D seg000:7D6D seg000:7D6D sub_7D6D proc near ; CODE XREF: sub_7D12+50p seg000:7D6D ; sub_7D12+56p seg000:7D6D mov ah, 1 seg000:7D6F mov si, ax seg000:7D71 seg000:7D71 loc_7D71: ; CODE XREF: sub_7D6D+10j seg000:7D71 lodsb seg000:7D72 cmp al, 0 seg000:7D74 jz short locret_7D7F seg000:7D76 mov ah, 0Eh seg000:7D78 mov bx, 7 seg000:7D7B int 10h ; - VIDEO - WRITE CHARACTER AND ADVANCE CURSOR (TTY WRITE) seg000:7D7B ; AL = character, BH = display page (alpha modes) seg000:7D7B ; BL = foreground color (graphics modes) seg000:7D7D jmp short loc_7D71 seg000:7D7F ; --------------------------------------------------------------------------- seg000:7D7F seg000:7D7F locret_7D7F: ; CODE XREF: sub_7D6D+7j seg000:7D7F retn seg000:7D7F sub_7D6D endp - teach	Anonymous
Reply Quote	Sep 24th 2010 8 years ago
fat converted to NTFS ?	Anonymous
Reply Quote	Sep 24th 2010 8 years ago
0x18h 1 sector per track 0x1Ah 1 head 0x28h 0xFFFDFF0000000000h Total sectors There is only one sector per track, so with the total sectors that means a lot of tracks. And there is only 1 head. That is a big platter. The text starting at 0x1BFh and ending at 0x1C5h is changed and should 0x636F6D70726573h (ASCII text: compres). 0x1F8h through 0x1FBH does not contain a first partition entry	Anonymous
Reply Quote	Sep 24th 2010 8 years ago
The following string is invalid "BOOTMGR is rescomsed"	Anonymous
Reply Quote	Sep 24th 2010 8 years ago
Carry is not correct, but is on the right track (pun intended) for one of the problems.	Chris 140 Posts
Reply Quote	Sep 24th 2010 8 years ago