Hello!
I am quite new to this. I have an image file with corrupt primary partition table. My task is to to extract all the partitions (primary, secondary) from the disk image.
I used "# sigfind -o 510 -l AA55 image.dd"
Then I try to extract partition (using dd with each block entry I got), but
- first I dont know how to determine if it is little-endian.
- Second, how to extract partition. Here is one example of xxd for the 446 to 461 bytes (first partition entry)
#0000000 eb52 904e 5446 5320 2020 2000 0208 0000 .R.NTFS …..
How do I extract partition based on this and mount it. And how can I be sure I got it right?
I am very confused, so I apologize for too many questions, I am sure the answers will clear everything up)
Are you doing this under linux?
This page has the details you need.
http//
Thank you for your response. I tried using the instructions in the link, like using 'parted' but it doesnt work. The problem is my partition table is corrupted. I cant use anything (that I have tried so far) to give me information on primary and secondary partitions, so I can use the offset to extract and mount partitions from disk image.
I am trying to use sigfind, but it can also give false positive. So I want to know how to do this)
Any help will be much appreciated)
(Pls look for specific details in my question)
Thank you for your response. I tried using the instructions in the link, like using 'parted' but it doesnt work. The problem is my partition table is corrupted. I cant use anything (that I have tried so far) to give me information on primary and secondary partitions, so I can use the offset to extract and mount partitions from disk image.
I am trying to use sigfind, but it can also give false positive. So I want to know how to do this)
Any help will be much appreciated)
(Pls look for specific details in my question)
skip the parted bit and use the offsets from sigfind.
The data you posted are the first bytes of an NTFS boot sector.
Sorry that is the boot code part. Here is the partition table byte layout for the first table
0000000 2063 6f6d 7072 6573 7365 6400 0d0a 5072
Problem with this is
How do I know if it is big or little-endian?
The offset I get here is bigger then the disk image, which means this is false positive.
Any ideas on how to do this?
Sorry that is the boot code part. Here is the partition table byte layout for the first table
0000000 2063 6f6d 7072 6573 7365 6400 0d0a 5072Problem with this is
How do I know if it is big or little-endian?The offset I get here is bigger then the disk image, which means this is false positive.
Any ideas on how to do this?
That hex is ASCII for " compressed Pr" which again is found in the boot sector of a NTFS volume.
Which doesn't help with the endianess. However looking back at the hex above (which is the first few bytes of a NTFS boot sector) it seems to be that data is in little endian. Assuming the sector size fo the disk is 512 and not 2 bytes D
can you dump the rest of this sector here?
How can u tell that it is little-endian)
Here is the rest of the dump
0000000 eb52 904e 5446 5320 2020 2000 0208 0000 .R.NTFS …..
0000010 0000 0000 00f8 0000 3800 0900 3800 0000 ……..8…8…
0000020 0000 0000 8000 8000 0fce 0700 0000 0000 …………….
0000030 0400 0000 0000 0000 e07c 0000 0000 0000 ………|……
0000040 f600 0000 0100 0000 f484 be20 5814 dd69 ……….. X..i
0000050 0000 0000 fa33 c08e d0bc 007c fb68 c007 …..3…..|.h..
0000060 1f1e 6866 00cb 8816 0e00 6681 3e03 004e ..hf……f.>..N
0000070 5446 5375 15b4 41bb aa55 cd13 720c 81fb TFSu..A..U..r…
0000080 55aa 7506 f7c1 0100 7503 e9d2 001e 83ec U.u…..u…….
0000090 1868 1a00 b448 8a16 0e00 8bf4 161f cd13 .h…H……….
00000a0 9f83 c418 9e58 1f72 e13b 060b 0075 dba3 …..X.r.;…u..
00000b0 0f00 c12e 0f00 041e 5a33 dbb9 0020 2bc8 ……..Z3… +.
00000c0 66ff 0611 0003 160f 008e c2ff 0616 00e8 f……………
00000d0 4000 2bc8 77ef b800 bbcd 1a66 23c0 752d @.+.w……f#.u-
00000e0 6681 fb54 4350 4175 2481 f902 0172 1e16 f..TCPAu$….r..
00000f0 6807 bb16 6870 0e16 6809 0066 5366 5366 h…hp..h..fSfSf
0000100 5516 1616 68b8 0166 610e 07cd 1ae9 6a01 U…h..fa…..j.
0000110 9090 6660 1e06 66a1 1100 6603 061c 001e ..f`..f…f…..
0000120 6668 0000 0000 6650 0653 6801 0068 1000 fh….fP.Sh..h..
0000130 b442 8a16 0e00 161f 8bf4 cd13 6659 5b5a .B……….fY[Z
0000140 6659 6659 1f0f 8216 0066 ff06 1100 0316 fYfY…..f……
0000150 0f00 8ec2 ff0e 1600 75bc 071f 6661 c3a0 ……..u…fa..
0000160 f801 e808 00a0 fb01 e802 00eb feb4 018b …………….
0000170 f0ac 3c00 7409 b40e bb07 00cd 10eb f2c3 ..<.t………..
0000180 0d0a 4120 6469 736b 2072 6561 6420 6572 ..A disk read er
0000190 726f 7220 6f63 6375 7272 6564 000d 0a42 ror occurred…B
00001a0 4f4f 544d 4752 2069 7320 6d69 7373 696e OOTMGR is missin
00001b0 6700 0d0a 424f 4f54 4d47 5220 6973 2063 g…BOOTMGR is c
00001c0 6f6d 7072 6573 7365 6400 0d0a 5072 6573 ompressed…Pres
00001d0 7320 4374 726c 2b41 6c74 2b44 656c 2074 s Ctrl+Alt+Del t
00001e0 6f20 7265 7374 6172 740d 0a00 0000 0000 o restart…….
00001f0 0000 0000 0000 0000 809d b2ca 0000 55aa …………..U.
Thanks)
This is not the Master Boot Record sector. There is no partition table. The sector shown here contains the BPB normally found at sector 0x3F (XP) or 0x800 (Vista / Windows7) on an NTFS disk
NTFS in all cases I have seen is always little endian
How can u tell that it is little-endian)
Here is the rest of the dump
0000000 eb52 904e 5446 5320 2020 2000 0208 0000 .R.NTFS …..
snip
00001f0 0000 0000 0000 0000 809d b2ca 0000 55aa …………..U.Thanks)
Windows is a little endian operating system. This is a BIG hint. D
The size of the sector in bytes is stored at offset 11 in the NTFS boot sector as two bytes.
http//
99% of the time a hdd will have a sector size of 512 bytes and 0% of the time it's going to be 2 bytes.
interpret these two bytes as big endian and they read as 2 bytes
interpret these two bytes as little endian and they read as 512 bytes
decoding the full sector from the the boot sector above and you get the total sector count to be 511503 * 512 = 261889536 bytes or 250MB.
How big is the disk ?
Thank u for the information above it is very helful
Disk Size = 250 MB
With Sigfind I found other block entries. Trouble is how to find where the primary and secondary partitions are)