Digg this topic Add to my del.icio.us Submit to SlashDot  
Reply to this topicStart new topic
> Mount DriveSnapshot backup image ?
bilou_gateux
post Nov 1 2007, 07:28 PM
Post #1


Advanced Member
***

Group: Advanced user
Posts: 68
Joined: 1-August 06
Member No.: 97


France


Maybe Jaclaz would you be interested to inspect closely the content of a .sna file created by DriveSnapshot with your favorite hexeditor and with your level of knowledge find the magic value to load this image with ImDisk.

I know there is a built-in function to mount image but would like to know if we can use a single driver (imdisk) to load various kind of images...

Go to the top of the page
 
+Quote Post
jaclaz
post Nov 1 2007, 08:05 PM
Post #2


Finder
***

Group: Advanced user
Posts: 1,622
Joined: 14-July 06
Member No.: 2


Italy


Sure, just make a snapshot of a drive with that app, then use the tool of your choice (hexeditor or dsfo or dd for windows) to get a reasonable amount of data from the beginning of the resulting file. I would think that 100 Kb would be more than adequate.

Zip them and attach the file here, I'll have a look at it.
(of course the image made by snapshot must be NOT of a compressed type) (IMG:../forums/style_emoticons/default/wink.gif)

If you want to do it by yourself, and have a hex/disk editor handy, best "first value" to check for is the "magic" signature 55AA (which terminates both MBR's and bootsectors).

Peek around the found data, and compare this view with the hex view of the original drive MBR and/or bootsector copied off it with HD hacker or similar utility.

Do the shapshots represent a full hard disk or a partition?

(IMG:../forums/style_emoticons/default/cheers.gif)

jaclaz
Go to the top of the page
 
+Quote Post
bilou_gateux
post Nov 2 2007, 09:36 PM
Post #3


Advanced Member
***

Group: Advanced user
Posts: 68
Joined: 1-August 06
Member No.: 97


France


QUOTE (jaclaz @ Nov 1 2007, 10:05 PM) *
Sure, just make a snapshot of a drive with that app, then use the tool of your choice (hexeditor or dsfo or dd for windows) to get a reasonable amount of data from the beginning of the resulting file. I would think that 100 Kb would be more than adequate.

Zip them and attach the file here, I'll have a look at it.
(of course the image made by snapshot must be NOT of a compressed type) (IMG:../forums/style_emoticons/default/wink.gif)

If you want to do it by yourself, and have a hex/disk editor handy, best "first value" to check for is the "magic" signature 55AA (which terminates both MBR's and bootsectors).

Peek around the found data, and compare this view with the hex view of the original drive MBR and/or bootsector copied off it with HD hacker or similar utility.

Do the shapshots represent a full hard disk or a partition?

(IMG:../forums/style_emoticons/default/cheers.gif)

jaclaz

Disk0 Partition1 "boot partition"
dsfo Disk0Partition1.sna 0 ?length_value_to_use_here? dump.bin
Go to the top of the page
 
+Quote Post
jaclaz
post Nov 3 2007, 08:54 AM
Post #4


Finder
***

Group: Advanced user
Posts: 1,622
Joined: 14-July 06
Member No.: 2


Italy


QUOTE (bilou_gateux @ Nov 2 2007, 10:36 PM) *
Disk0 Partition1 "boot partition"
dsfo Disk0Partition1.sna 0 ?length_value_to_use_here? dump.bin

100Kb=100*1024=102,400

dsfo Disk0Partition1.sna 0 102400 dump.bin

jaclaz
Go to the top of the page
 
+Quote Post
jaclaz
post Nov 3 2007, 01:16 PM
Post #5


Finder
***

Group: Advanced user
Posts: 1,622
Joined: 14-July 06
Member No.: 2


Italy


NO joy! (IMG:../forums/style_emoticons/default/sad.gif)

Run this:
CODE
dsfo dump.bin 132 512 MBR_01.MBR
dsfo dump.bin 15492 512 MBR_02.MBR


There are TWO MBR's in the file, in MBRbatch.cmd they look like this:
(IMG:http://img215.imageshack.us/img215/1296/mbr01nw8.th.jpg)

(IMG:http://img215.imageshack.us/img215/3605/mbr02yg5.th.jpg)

Rest of data consists of something that looks like a Serial of some kind:
OEM-(followed by 11 AlphaNumeric characters) obfuscated below
OEM-5#6P#K#P#7#
(I am removing your original post with dump.bin just in case)
and another "header":
QUOTE
SND0Kp

and then it starts what looks like compressed (or encrypted) data.

Try again changing the options to make the snapshot, please PM (due to the "serial-like" info contained in the file) me the new dump.bin.

(IMG:../forums/style_emoticons/default/cheers.gif)

jaclaz
Go to the top of the page
 
+Quote Post
bilou_gateux
post Nov 5 2007, 04:47 PM
Post #6


Advanced Member
***

Group: Advanced user
Posts: 68
Joined: 1-August 06
Member No.: 97


France


CODE
OEM-5#6P#K#P#7#

NETBIOS Name of the computer random generated by windows install.

Can't say about the second header.

Two MBRs means there is an old copy of the previous layout of my Disk / Partitions.

Not good for forensic investigation (IMG:../forums/style_emoticons/default/blink.gif)

i'm not in front of the box to create a new backup but i remember having the ability to back all drive including blank space without data. But i won't do it, it's 100Gb HDD.

Maybe i will try another partition/drive backup tool.

Thanks for your investigation and i definitively have to read ALL your advanced topics in the future to learn more about Disk / Partition. A very hard task!
Go to the top of the page
 
+Quote Post
jaclaz
post Nov 5 2007, 07:18 PM
Post #7


Finder
***

Group: Advanced user
Posts: 1,622
Joined: 14-July 06
Member No.: 2


Italy


Well, most probably the snapshot was taken using compression....

(IMG:../forums/style_emoticons/default/cheers.gif)

jaclaz
Go to the top of the page
 
+Quote Post
« Next Oldest · ImDisk · Next Newest »
 

Fast ReplyReply to this topicStart new topic

Members Who Viewed Topic Today ()

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

RSS Lo-Fi Version Time is now: 3rd March 2008 - 08:23 AM

MKPortal ©2003-2006 mkportal.it