Jump to content











Photo
- - - - -

Mount DriveSnapshot backup image ?


  • Please log in to reply
6 replies to this topic

#1 bilou_gateux

bilou_gateux

    Frequent Member

  • Expert
  • 230 posts
  •  
    France

Posted 01 November 2007 - 07:28 PM

Maybe Jaclaz would you be interested to inspect closely the content of a .sna file created by DriveSnapshot with your favorite hexeditor and with your level of knowledge find the magic value to load this image with ImDisk.

I know there is a built-in function to mount image but would like to know if we can use a single driver (imdisk) to load various kind of images...

#2 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 01 November 2007 - 08:05 PM

Sure, just make a snapshot of a drive with that app, then use the tool of your choice (hexeditor or dsfo or dd for windows) to get a reasonable amount of data from the beginning of the resulting file. I would think that 100 Kb would be more than adequate.

Zip them and attach the file here, I'll have a look at it.
(of course the image made by snapshot must be NOT of a compressed type) :cheers:

If you want to do it by yourself, and have a hex/disk editor handy, best "first value" to check for is the "magic" signature 55AA (which terminates both MBR's and bootsectors).

Peek around the found data, and compare this view with the hex view of the original drive MBR and/or bootsector copied off it with HD hacker or similar utility.

Do the shapshots represent a full hard disk or a partition?

:cheers:

jaclaz

#3 bilou_gateux

bilou_gateux

    Frequent Member

  • Expert
  • 230 posts
  •  
    France

Posted 02 November 2007 - 09:36 PM

Sure, just make a snapshot of a drive with that app, then use the tool of your choice (hexeditor or dsfo or dd for windows) to get a reasonable amount of data from the beginning of the resulting file. I would think that 100 Kb would be more than adequate.

Zip them and attach the file here, I'll have a look at it.
(of course the image made by snapshot must be NOT of a compressed type) :cheers:

If you want to do it by yourself, and have a hex/disk editor handy, best "first value" to check for is the "magic" signature 55AA (which terminates both MBR's and bootsectors).

Peek around the found data, and compare this view with the hex view of the original drive MBR and/or bootsector copied off it with HD hacker or similar utility.

Do the shapshots represent a full hard disk or a partition?

:cheers:

jaclaz

Disk0 Partition1 "boot partition"
dsfo Disk0Partition1.sna 0 ?length_value_to_use_here? dump.bin

#4 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 03 November 2007 - 08:54 AM

Disk0 Partition1 "boot partition"
dsfo Disk0Partition1.sna 0 ?length_value_to_use_here? dump.bin

100Kb=100*1024=102,400

dsfo Disk0Partition1.sna 0 102400 dump.bin

jaclaz

#5 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 03 November 2007 - 01:16 PM

NO joy! :cheers:

Run this:
dsfo dump.bin 132 512 MBR_01.MBR

dsfo dump.bin 15492 512 MBR_02.MBR

There are TWO MBR's in the file, in MBRbatch.cmd they look like this:
Posted Image

Posted Image

Rest of data consists of something that looks like a Serial of some kind:
OEM-(followed by 11 AlphaNumeric characters) obfuscated below
OEM-5#6P#K#P#7#
(I am removing your original post with dump.bin just in case)
and another "header":

SND0Kp

and then it starts what looks like compressed (or encrypted) data.

Try again changing the options to make the snapshot, please PM (due to the "serial-like" info contained in the file) me the new dump.bin.

:cheers:

jaclaz

#6 bilou_gateux

bilou_gateux

    Frequent Member

  • Expert
  • 230 posts
  •  
    France

Posted 05 November 2007 - 04:47 PM

OEM-5#6P#K#P#7#
NETBIOS Name of the computer random generated by windows install.

Can't say about the second header.

Two MBRs means there is an old copy of the previous layout of my Disk / Partitions.

Not good for forensic investigation :cheers:

i'm not in front of the box to create a new backup but i remember having the ability to back all drive including blank space without data. But i won't do it, it's 100Gb HDD.

Maybe i will try another partition/drive backup tool.

Thanks for your investigation and i definitively have to read ALL your advanced topics in the future to learn more about Disk / Partition. A very hard task!

#7 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 05 November 2007 - 07:18 PM

Well, most probably the snapshot was taken using compression....

:cheers:

jaclaz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users