Mount DriveSnapshot backup image ?
#1
Posted 01 November 2007 - 07:28 PM
I know there is a built-in function to mount image but would like to know if we can use a single driver (imdisk) to load various kind of images...
#2
Posted 01 November 2007 - 08:05 PM
Zip them and attach the file here, I'll have a look at it.
(of course the image made by snapshot must be NOT of a compressed type)
If you want to do it by yourself, and have a hex/disk editor handy, best "first value" to check for is the "magic" signature 55AA (which terminates both MBR's and bootsectors).
Peek around the found data, and compare this view with the hex view of the original drive MBR and/or bootsector copied off it with HD hacker or similar utility.
Do the shapshots represent a full hard disk or a partition?
jaclaz
#3
Posted 02 November 2007 - 09:36 PM
Disk0 Partition1 "boot partition"Sure, just make a snapshot of a drive with that app, then use the tool of your choice (hexeditor or dsfo or dd for windows) to get a reasonable amount of data from the beginning of the resulting file. I would think that 100 Kb would be more than adequate.
Zip them and attach the file here, I'll have a look at it.
(of course the image made by snapshot must be NOT of a compressed type)
If you want to do it by yourself, and have a hex/disk editor handy, best "first value" to check for is the "magic" signature 55AA (which terminates both MBR's and bootsectors).
Peek around the found data, and compare this view with the hex view of the original drive MBR and/or bootsector copied off it with HD hacker or similar utility.
Do the shapshots represent a full hard disk or a partition?
jaclaz
dsfo Disk0Partition1.sna 0 ?length_value_to_use_here? dump.bin
#4
Posted 03 November 2007 - 08:54 AM
100Kb=100*1024=102,400Disk0 Partition1 "boot partition"
dsfo Disk0Partition1.sna 0 ?length_value_to_use_here? dump.bin
dsfo Disk0Partition1.sna 0 102400 dump.bin
jaclaz
#5
Posted 03 November 2007 - 01:16 PM
Run this:
dsfo dump.bin 132 512 MBR_01.MBR dsfo dump.bin 15492 512 MBR_02.MBR
There are TWO MBR's in the file, in MBRbatch.cmd they look like this:
Rest of data consists of something that looks like a Serial of some kind:
OEM-(followed by 11 AlphaNumeric characters) obfuscated below
OEM-5#6P#K#P#7#
(I am removing your original post with dump.bin just in case)
and another "header":
and then it starts what looks like compressed (or encrypted) data.SND0Kp
Try again changing the options to make the snapshot, please PM (due to the "serial-like" info contained in the file) me the new dump.bin.
jaclaz
#6
Posted 05 November 2007 - 04:47 PM
OEM-5#6P#K#P#7#NETBIOS Name of the computer random generated by windows install.
Can't say about the second header.
Two MBRs means there is an old copy of the previous layout of my Disk / Partitions.
Not good for forensic investigation
i'm not in front of the box to create a new backup but i remember having the ability to back all drive including blank space without data. But i won't do it, it's 100Gb HDD.
Maybe i will try another partition/drive backup tool.
Thanks for your investigation and i definitively have to read ALL your advanced topics in the future to learn more about Disk / Partition. A very hard task!
#7
Posted 05 November 2007 - 07:18 PM
jaclaz
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users