Comments on: Volume Boot Sector Format of FAT http://niiconsulting.com/checkmate/2007/05/29/volume-boot-sector-format-of-fat/ An Information Security Blog by NII Consulting Tue, 07 Feb 2012 12:10:45 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Steve S. http://niiconsulting.com/checkmate/2007/05/29/volume-boot-sector-format-of-fat/comment-page-1/#comment-114 Steve S. Fri, 01 Feb 2008 16:17:42 +0000 http://www.niiconsulting.com/checkmate/2007/05/volume-boot-sector-format-of-fat/#comment-114 Minor typo in this paragraph, "We can see the value on 14th offset is 20 and on 15th offset is 00. Converting this value in Big Endian form the value comes out to be 0020 which is written in hex as 0×020. Converting this value to decimal we get 2." You may want to correct the paragraph for the 14th and 15th offset to read. "...be written in hex as 0x0020. Converting this value to the decimal we get 512." The bit pattern is interpreted in big endian form as indicated which means that the most significant value is at the right. Thank you, Steve Minor typo in this paragraph, “We can see the value on 14th offset is 20 and on 15th offset is 00. Converting this value in Big Endian form the value comes out to be 0020 which is written in hex as 0×020. Converting this value to decimal we get 2.”

You may want to correct the paragraph for the 14th and 15th offset to read. “…be written in hex as 0×0020. Converting this value to the decimal we get 512.” The bit pattern is interpreted in big endian form as indicated which means that the most significant value is at the right.

Thank you,
Steve

]]> By: Kush http://niiconsulting.com/checkmate/2007/05/29/volume-boot-sector-format-of-fat/comment-page-1/#comment-113 Kush Fri, 23 Nov 2007 10:08:28 +0000 http://www.niiconsulting.com/checkmate/2007/05/volume-boot-sector-format-of-fat/#comment-113 Hello Mikha, Thanks for reading the article. There are lot more articles to come on digital forensics. Keep reading articles on checkmate. Regards, Kush Wadhwa Hello Mikha,

Thanks for reading the article. There are lot more articles to come on digital forensics. Keep reading articles on checkmate.

Regards,

Kush Wadhwa

]]> By: Mikha http://niiconsulting.com/checkmate/2007/05/29/volume-boot-sector-format-of-fat/comment-page-1/#comment-112 Mikha Wed, 03 Oct 2007 21:00:09 +0000 http://www.niiconsulting.com/checkmate/2007/05/volume-boot-sector-format-of-fat/#comment-112 Great, I love to know more and more please feed me back with any interesting topics about BootSectors on my e-mail. Thanks again. Great, I love to know more and more please feed me back with any interesting topics about BootSectors on my e-mail.
Thanks again.

]]> By: Antivirustaneja http://niiconsulting.com/checkmate/2007/05/29/volume-boot-sector-format-of-fat/comment-page-1/#comment-111 Antivirustaneja Thu, 09 Aug 2007 09:22:11 +0000 http://www.niiconsulting.com/checkmate/2007/05/volume-boot-sector-format-of-fat/#comment-111 "Disk Image With Corrupted MBR Partition Table Cannot Be Acquired EnCase cannot properly acquire disks with certain corrupted MBR partition tables. When running linen on a system with a disk with a carefully crafted partition table (including many partition table entries), linen won't start up properly. If linen is started prior to corrupting the image, it will start up, but EnCase will hang inde nitely while acquiring the image. While the acquisition is hung, it is possible to cancel out of the import from the GUI. If a disk image is manually captured and transferred to the EnCase workstation and acquired as a raw disk image, EnCase will hang inde nitely while attempting to acquire the image. There is no way to cancel out of this process | the GUI becomes unresponsive. We have not identi ed the root cause of this issue, but it appears to be due to the overly large values in the 29th partition table entry. We were unable to reproduce this issue in similar situations with a small number of partitions." more details: "Breaking Forensics Software: Weaknesses in Critical Evidence Collection" at http://www.isecpartners.com “Disk Image With Corrupted MBR Partition Table Cannot Be Acquired

EnCase cannot properly acquire disks with certain corrupted MBR partition tables. When running linen
on a system with a disk with a carefully crafted partition table (including many partition table entries), linen
won’t start up properly. If linen is started prior to corrupting the image, it will start up, but EnCase will
hang inde nitely while acquiring the image. While the acquisition is hung, it is possible to cancel out of the
import from the GUI.
If a disk image is manually captured and transferred to the EnCase workstation and acquired as a raw
disk image, EnCase will hang inde nitely while attempting to acquire the image. There is no way to cancel
out of this process | the GUI becomes unresponsive. We have not identi ed the root cause of this issue,
but it appears to be due to the overly large values in the 29th partition table entry. We were unable to
reproduce this issue in similar situations with a small number of partitions.”

more details:
“Breaking Forensics Software:
Weaknesses in Critical Evidence Collection”

at
http://www.isecpartners.com

]]> By: Shambhunath Pandey http://niiconsulting.com/checkmate/2007/05/29/volume-boot-sector-format-of-fat/comment-page-1/#comment-110 Shambhunath Pandey Tue, 26 Jun 2007 10:54:54 +0000 http://www.niiconsulting.com/checkmate/2007/05/volume-boot-sector-format-of-fat/#comment-110 This is very good document to learn disk structure. Thanks & Best Regards, Shambhunath Pandey This is very good document to learn disk structure.

Thanks & Best Regards,

Shambhunath Pandey

]]> By: Rohit Shah http://niiconsulting.com/checkmate/2007/05/29/volume-boot-sector-format-of-fat/comment-page-1/#comment-109 Rohit Shah Fri, 08 Jun 2007 09:51:41 +0000 http://www.niiconsulting.com/checkmate/2007/05/volume-boot-sector-format-of-fat/#comment-109 Good job, Anatomy of the whole FAT filesystem, with each offset derscibed with examples. After going through the article I have a better understanding for FAT. Checkmate is a wonderfull way for disseminating knowledge. Good job,
Anatomy of the whole FAT filesystem, with each offset derscibed with examples. After going through the article I have a better understanding for FAT.
Checkmate is a wonderfull way for disseminating knowledge.

]]> By: Kush Wadhwa http://niiconsulting.com/checkmate/2007/05/29/volume-boot-sector-format-of-fat/comment-page-1/#comment-108 Kush Wadhwa Fri, 01 Jun 2007 09:44:19 +0000 http://www.niiconsulting.com/checkmate/2007/05/volume-boot-sector-format-of-fat/#comment-108 Thanx Iain. I will surely write an article on Volume Boot Record of NTFS file system. Keep reading forensic article on checkmate;) Thanx Iain. I will surely write an article on Volume Boot Record of NTFS file system. Keep reading forensic article on checkmate;)

]]> By: Iain http://niiconsulting.com/checkmate/2007/05/29/volume-boot-sector-format-of-fat/comment-page-1/#comment-107 Iain Wed, 30 May 2007 17:42:25 +0000 http://www.niiconsulting.com/checkmate/2007/05/volume-boot-sector-format-of-fat/#comment-107 What a great and thorough walkthrough. I'll get my hex viewer out, along with a disk as soon as I can. Once I've got to grips with FAT32, I'd like to get to know more about NTFS (hint, hint!). I know there was a brief introduction about NTFS a while ago so I'm sure that a similarly detailed walkthrough for NTFS would be appreciated by all. Keep up the good work which is very educational. What a great and thorough walkthrough. I’ll get my hex viewer out, along with a disk as soon as I can. Once I’ve got to grips with FAT32, I’d like to get to know more about NTFS (hint, hint!). I know there was a brief introduction about NTFS a while ago so I’m sure that a similarly detailed walkthrough for NTFS would be appreciated by all.

Keep up the good work which is very educational.

]]>