±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 36464
New Yesterday: 7 Visitors: 216

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Is there a date in the MBR?

Home Forum Index General Discussion Is there a date in the MBR?

All Forums > General Discussion

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

jaclaz
Senior Member
 

Re: Is there a date in the MBR?

Post Posted: Apr 24, 12 14:42

I am pretty sure that finding a date into \MountPoints2 that ONLY makes (loosely) sense IF Disk Signature was changed will be of great help to the OP that ONLY has the MBR:
- mscotgrove
All I have is a dump of a MBR (sector 0).


Carpenter's example:
Q: I have ONLY a hammer, NO nails and two wooden planks. How do I join the two planks together?.
A1:You should have some nails.
A2:You could use some screws and glue.

Cool

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
Back to top
 
  

mscotgrove
Senior Member
 

Re: Is there a date in the MBR?

Post Posted: Apr 24, 12 15:44

I should explain that the disk(s) in question actually come from an HP MediaVault Raid. The disk are Reiser and at some time the boot sectors have been modified to be a 'standard' Windows type boot sector, with no partition information.

I hoped that by finding the time I could isolate when it was done, and why the boot sectors were modified.

Fortunately, sector 1 has not been changed as this stores the critical Broadcom raid information, so recovery should be possible


I did once have a job on a deleted DVD-RW which had been reformatted again. I established the time of the last format to be the time the DVD was at a 'local' PC repair shop. In this case the formating overwrote the original data.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
Back to top
 
  

jaclaz
Senior Member
 

Re: Is there a date in the MBR?

Post Posted: Apr 24, 12 18:19

- mscotgrove
I should explain that the disk(s) in question actually come from an HP MediaVault Raid. The disk are Reiser and at some time the boot sectors have been modified to be a 'standard' Windows type boot sector, with no partition information.

What have "the boot sectors" have to do with the MBR? Shocked
There is no such thing as a 'standard' Windows bootsector (and no, not even a 'standard' MBR) some are common between different versions of Windows, some are not.

What MAY have happened is the following (though there is NO way to know WHEN from the data on the MBR):
  • *something* corrupted the 55AA Signature of the MBR
  • the disk was connected to a Windows NT OS and accessed through Disk Management
this behaviour has been documented, basically besides disk signature, a NT OS also "needs" a 55AA, if it finds it not the disk is assumed to be needing "initializing" and IF ths is carried on, the partition table is WIPED.
reboot.pro/12253/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
Back to top
 
  

joakims
Senior Member
 

Re: Is there a date in the MBR?

Post Posted: Apr 24, 12 21:38

What kind of OS was actually on this disk in case it was a boot volume, or connected to it in case not?
_________________
Joakim Schicht

github.com/jschicht 
Back to top
 

Reply to topicReply to topic

Page 2 of 2
Page Previous  1, 2