FTK Imager report

Hi jaclaz,

thanks for your patience, I try to explain my doubts.

1) The computer was normal pc clone desktop I don't think possible bios has 240/63 hdd geometry

2) I find, inside installation, folders and files with date 24/08/2011, but the forensic copy has date 22/08/2011 (Report_1) there was manipulation before MD5 acquisition.

Now I have discover HDD installation is HDD 240/63 geometry I have more doubts because it's geometry from notebook not pc clone.

I never think MD5 collision, I have asked this forum because there are two report have different data, only I need understand.

I think best solution it's understand if initial installation was 255/63 or 240/63, but how do it?

#1 Not really-really, the 240/63 geometry is more common on laptops (more specifically many IBM/Lenovo's and HP's), but there are desktops that use it, I remember some HP ones, possibly the one object of this looong thread ?
http//www.911cd.net/forums//index.php?s=&showtopic=24161&view=findpost&p=166162
The HP Pavillion 503n Desktop PC, which seemingly uses/used a Trigem Imperial motherboard that could well be on a "no name" PC, the BIOS is/was probably Phoenix, but I also seem to remember desktops with the (crappy BTW) Insyde BIOS having the same or similar "queer" geometry.

#2 that - again with all due respect - is essentially your problem, I would need a much better tuned crystal ball to help you with that wink .

The fact that the bootsector has that geometry is already a good indicator, as hinted before you can check, and if the CODE in the bootsector has not been patched to bypass the HS geometry and if there is no "strange" bootmanager, then that disk could ONLY be booted on a 240/63 system.

By checking the HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices you can verify that the mounted volume(s) have the right disk signature
http//www.911cd.net/forums//index.php?showtopic=19663&st=0&p=130963&#entry130963
and to the offset you can then add the actual size of the volume(s), which are probably NTFS and thus have as last sector of the partition, or first sector outside the filesystem a mirror of the first sector of the bootsector (or $Boot), is/are head aligned to 240, but since as said the "main" part of a NT system will only use LBA, that will only be a confirmation that the disk was partitioned (and the filesystem(s) created/formatted) on a machine that saw the hard disk as 240/63.

Conversely if - by any chance - the mirror is actually identical (or different) it may mean *nothing* (or *something*).

jaclaz

Hi jaclaz,

again thanks for the answer, if you want control here

http//vccoins.com/report/testdisk_1.jpg
http//vccoins.com/report/testdisk_2.jpg

there are too anomalies, my goal is to understand how it's possible.

Hi jaclaz,
again thanks for the answer, if you want control here
http//vccoins.com/report/testdisk_1.jpg
http//vccoins.com/report/testdisk_2.jpg

there are too anomalies, my goal is to understand how it's possible.

WHAT could I control from a couple unreferenced TESTDISK screenshots? 😯

Besides the fact that TESTDISK is simply not the "right" tool to determine *anything* in this case[1], if you choose to use it and want to provide it's output use the /LOG feature (and post the complete LOG).

But you should really and particularly in this particular "queer" case analyze the disk image structures manually in a hex/disk editor.

You do however have a mess of some kind.

I checked and additionally the ST3250318AS (if the model is accurate) is a SATA (and not IDE) disk of the 7200.12 series and

…
Conteggio settori 488.397.168
[Informazioni unità fisiche]
Modello unità ST3250318AS
Tipo interfaccia unità IDE
Removable drive Falso
Source data size 238475 MB
Sector count 488397168
[Computed Hashes]
MD5 checksum dc245743f8fb3ce691b007b7cc0886bc
SHA1 checksum 3f1a1713bffac6feb7a3d703709d3f26f89a8753

Image Information
Acquisition started Wed Sep 11 094149 2013
Acquisition finished Wed Sep 11 163628 2013
…

almost 7 hours ! to image a 250 Gb SATA which when imaged through USB

…
Sector Count 488.397.168
[Physical Drive Information]
Drive Model ST325031 8AS USB Device
Drive Serial Number 6VYA6E21
Drive Interface Type USB
Source data size 238475 MB
Sector count 488397168
[Computed Hashes]
MD5 checksum dc245743f8fb3ce691b007b7cc0886bc
SHA1 checksum 3f1a1713bffac6feb7a3d703709d3f26f89a8753

Image Information
Acquisition started Mon Aug 22 145420 2011
Acquisition finished Mon Aug 22 185138 2011
…

took around 4 hours is also "queer".

Everything posted leads to believe that the PC used a 240/63 geometry, including the TESTDISK, though that doesn't IMHO really count, as it only confirms what was manually already checked.

jaclaz

[1] Please note how TESTDISK is an exceptionally good program to do what it is supposed to do (which is to RECOVER misconfigured or damaged partition structures) but it is NOT suited to do this kind of analysis as it may well - in order to reach it's real scope - introduce any kind of simplification or assumption.

Hi jaclaz,

I have upload some screeenshots and files, I have checked "disk signature" and if there is not my error the 240/63 MBR never start that installation.
I hope you can confirm me the disk signature is different and no possible MBR started that installation 18/08/2011.
I have upload all MFT and complete testdisk report and other files.
http//vccoins.com/report/new/

Again thanks for the help and patience.

I have upload some screeenshots and files, I have checked "disk signature" and if there is not my error the 240/63 MBR never start that installation.
I hope you can confirm me the disk signature is different and no possible MBR started that installation 18/08/2011.

What? 😯

There must be a lack in communication (or - with all due respect - with your knowledge on the topic).

The MBR is the Master Boot Record, first absolute sector of the disk (or \\.\PhysicalDrive), the file you posted a screenshot of as MBR.JPG is a PBR (Partition Boot Record) or VBR (Volume Boot Record) i.e. the bootsector or first sector of the \\.\LogicalDrive.

The MBR (NOT the bootsector) contains a Disk Signature.

The MountedDevices Registry key (which you got right ) ) also contains that as it uses it to "identify" where volumes (what is assigned a drive letter to normally) are, i.e. on which disk, at which offset.

In your case the MBR should have a disk signature of 2461F883, because normally the first volume on first disk on XP is the one that is both "system" and "boot" and that gets drive letter C\, but this won't tell you anything about "installation" or installation started on 18/08/2011 or any other day.

jaclaz