±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36324
New Yesterday: 2 Visitors: 181

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Is there a date in the MBR?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

mscotgrove
Senior Member
 

Is there a date in the MBR?

Post Posted: Apr 21, 12 15:37

All I have is a dump of a MBR (sector 0). It contains the normal string 'Invalid partition table....'

The sector has been written to the disk and I would like to know when.

I do not currently have access to the rest of the disk.

Does anyone know if the date is ever embedded within the general code area?

I know that only bytes 0x1be to 0x1ff are actually defined, the rest are often standard

thestarman.pcministry..../W7MBR.htm

The link above gives lots of info but does not mention a date, so I fear the answer to my question is no.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 
  

keydet89
Senior Member
 

Re: Is there a date in the MBR?

Post Posted: Apr 21, 12 15:55

I found multiple sites on Google that describe the code in the MBR, even go so far as decode it (or provide someone with the ability to do so)...yet I don't see where there's a date listed.  
 
  

joakims
Senior Member
 

Re: Is there a date in the MBR?

Post Posted: Apr 22, 12 04:06

Not in the mbr, but whenever you get access to the rest of the disk, there may be traces from the OS having redetected a "new" disk (or in this case the same one but with a possibly different disk signature). Or not if the signature was the same.
_________________
Joakim Schicht

github.com/jschicht 
 
  

keydet89
Senior Member
 

Re: Is there a date in the MBR?

Post Posted: Apr 22, 12 17:42

For some useful info about what IS in the MBR, check Google, and try Jamie's code:
gleeda.blogspot.com/20...arser.html  
 
  

jaclaz
Senior Member
 

Re: Is there a date in the MBR?

Post Posted: Apr 23, 12 15:25

The ONLY data in a MBR (beside the partition table entries) that varies between two "same OS" installs is the Disk Signature. (4 bytes at offset 440)
The Disk Signature is "randomly generated" when the disk is "initialized" (i.e. first time it is accessed by disk manager and/or during initial partitioning and/or silently if by any chance the disk signature is set to 00000000) as soon as the disk is connected to a NT system) and bears NO info of any kind about date/time.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

joakims
Senior Member
 

Re: Is there a date in the MBR?

Post Posted: Apr 23, 12 23:47

Maybe some explanantion to my not so brilliant post would be necessary. I was assuming that only the mbr was rewritten, and that the disk signature may or may not have changed during that operation. If the disk signature was changed, then it should be possible to make some assumptions as to when it occurred. For instance through the registry, by mapping the disk guid from MountedDevices to MountPoints2 and retrieving the last write timestamp. Should at least reflect the boottime of the next boot after the signature was changed. But of course pointless if the signature was kept during the rewrite. Just a shame no timestamps exists in the mbr itself.

Assumtion: Windows system (which I drew because of the reference back to disassembly of a Windows 7 based mbr).
_________________
Joakim Schicht

github.com/jschicht 
 
  

keydet89
Senior Member
 

Re: Is there a date in the MBR?

Post Posted: Apr 24, 12 00:02

I may have something for you on this tomorrow...while it doesn't fit with the MBR that you're referring to, I may have something more along the lines of the MountedDevices/MountPoints2 key references.  
 

Page 1 of 2
Page 1, 2  Next