Data Recovery From MBR

Certainly it's possible to hide data there. With space being fairly limited you could use a hex editor to examine it.

Yikes, I should have re-read this before posting it!

Each MBR entry is 1024 bytes. If the total space occupied by all of the attributes is less than 1024 bytes, what remains is MBR slack which, in theory, can be used to hide data using your favorite hex editor.

And, as noted below, since the MBR is on the first sector of the first track (63 sectors), and since the volume boot record must start on the first sector of a track, the remaining 62 sectors (31744 bytes) of the first track are normally unused.

Google "FragFS" to read about a proof of concept demonstration.

For some reason, I segued into $MFT slack. Musta been tired.

In actual practice, I don't believe that I have ever seen a case where this has been done.

As noted, below, viruses have been known to replace (or move) the MBR data to a different location in the first track and then insert themselves into the MBR sector. Also, some partition managers (like GRUB), often use more than one sector in the first track.

A far more useful application of the MFT slack is finding overwritten MFT entry data.

True but irrelevant to your question. Next time I'll read the question more carefully.

I've never seen it done to "hide" data, however, old "boot sector" viruses often stored their code in the slack space …

Apparently they are on their way back into fashion 😉

http//www.heise-online.co.uk/security/Return-of-the-boot-sector-virus--/news/101463

I've never seen it done to "hide" data, however, old "boot sector" viruses often stored their code in the slack space …

Apparently they are on their way back into fashion 😉

http//www.heise-online.co.uk/security/Return-of-the-boot-sector-virus--/news/101463

Ironically, I found a variant of this exact code on a client's machine two weeks ago. Because the MBR is allocated the first 63 sectors of the drive, but typically only needs the first sector, it was storing the original MBR in sector 62, then replacing sector 0 with some bootstrap code (which then called the original MBR once the evil was done).

So yes, there's lots of space (about 62 sectors) at the start of the drive you can hide in, and plenty in unallocated space beyond the partition. But, if any other evil wants to stash it's stuff there, it might scribble all over yours. )

Hmm, I guess I'm slow this morning. I thought the MBR was the first sector, 512 bytes in size for IDE/SCSI hard drives.

446 bytes of boot code and misc.

64 bytes for the partition table

2 bytes for the signature

But maybe the mention of 1024 bytes is from somewhere else, indicating it's wrong (since it's italics)?

xxd -l 512 /dev/hda

Will show you the 512 bytes for the file /dev/hda. You can view this, see the boot code and information, your partition table and file signature. There is room to input information, but it depends upon your OS environment and the boot loader, as well as your partitioning schema. One could certainly use the free space to input a password reminder for their encrypted file system.

SMART makes it easy to view the unallocated space of drives. Right-click and view using the raw data viewer. Search or carve if you like or see something of interest in the viewer.

Cheers!

farmerdude

http//www.onlineforensictraining.com

http//www.forensicbootcd.com