I have a hard drive where this is what sector 0 shows….
I am not great with hex or partition information on the disk, but I can see that there is no partition table on this sector…. which leads me to believe it's an extended partition where the table is elsewhere?
I do see that it is the beginning of an NTFS partition…. but… where do I find the parameters of this partition?
Thoughts?
The partition table is outside this portion of the file system. If you have a physical image you might try fdisk, going through a write blocker of course.
Well if you are using encase, juste right click on that secteur that contains the vbr and Add partition. It should indicate you the begining end the end of that volume.
Usually if it is an extended partition, the specs should be in the MBR sector 0 in the disk map view of encase.
If the MBR has been wipped you'll have to go manually to each VBR if you have many volume. Each volume have it's own VBR that indecates what kind of file system, cluster size etc.
You can also use some free partition info appz if you don't have encase.
hope that this will help you.
This IS a physical image of the drive…. This is sector 0. For some reason EnCase is not creating the partition. This drive came to me as a stand alone… meaning it was not in a computer system. I have checked the drive several times using EnCase and FTK and all show the same sector 0. When I do load the image into EnCase or FTK it creates a partition in the middle of the drive with no file structure.
I can delete that partition and create a "user defined" from sector 0, but again, no file structure.
I guess my question is what type of drive has just a beginning of a partition in sector 0? Where can I find the information on the parameters of this drive/partition since it is not before hex 55 AA at the end of the sector.
Branerift,
There are 2 possible ways to remedy this
1) Run partition finder within EnCase (located under sweep case). Once completed, go to the bookmarked data, click on the found partition, and switch to disk view and add a user-defined partition. This may find the partition you are looking for.
(This is the easy way)
However, if this doesn't work, a manual process might be in order
2) The partition size is located in the MBR. In an NTFS VBR, the size of the partition is also located in the VBR @ sector offset (SO) 40. It is usually 4 bytes in length. Using a hex editor or EnCase (I believe you have EnCase according to you previous post), highlight these 4 bytes and decode it to little Endian. Now start looking in this area, and you might see the text (NTFS, MSDOS5.0, MSWIN4.0), go to the first letter of these (if found) and add a user partition. This might yield your lost partition.
Hope this helps and good luck…
I have a hard drive where this is what sector 0 shows….
I do see that it is the beginning of an NTFS partition…. but… where do I find the parameters of this partition?
Thoughts?
Yes, this is a NTFS VBR.
1) Where did the drive come from?
2) How was it attached originally?
3) How did you preview it?
I have seen this phenomenon occurr a lot in FLASH drives.
(e.g. if you preview a IPOD shuffle)
The PHYSICAL disk is just the volume;
The LOGICAL disk is just a no-offset passthrough.
Go to the disk view and "add partition"
I'd like to get some mor info on 1-3
2) The partition size is located in the MBR.
Seeing my original post's sector 0 is not a MBR, I am probably out of luck right? I have no idea what system this drive came out of because it came to me not attached to a computer.
Does anyone have an explaination of why I am seeing the above hex in sector 0?
I apologize for my lack of knowledge in this area, but seeing this in sector 0 stumped me.
I have no idea what system this drive came out of because it came to me not attached to a computer.
Does anyone have an explaination of why I am seeing the above hex in sector 0?
No problem. In EnCase go to the disk view and click on sector 0.
The right-click and "Add partition" Go with the defaults.
(Should be NTFS, VBR offset 0, and partition size)
You might need to trim the the total sector size one down.
Then it should parse the file system.
Possibility Someone created a logical image instead of a physical one. Instead of the whole disk, they only took c\. If this is the case, the forensic software would show the VBR as absolute sector 0.
The only time the whole disk would look like this is if it is a diskette or USB stick. They only exist (in general) as volumes.
I have no idea what system this drive came out of because it came to me not attached to a computer.
Does anyone have an explaination of why I am seeing the above hex in sector 0?No problem. In EnCase go to the disk view and click on sector 0.
The right-click and "Add partition" Go with the defaults.
(Should be NTFS, VBR offset 0, and partition size)
You might need to trim the the total sector size one down.Then it should parse the file system.
Ya, I tried this, but EnCase and all other software failed to rebuild the structure on the drive. I did however get the majority (I think) from a lost folder recovery from the "guess" partition I created.
Thanks everyone for your input.