Image file with cor...
 
Notifications
Clear all

Image file with corrupted primary partition table

22 Posts
4 Users
0 Reactions
2,872 Views
(@newbie13)
Active Member
Joined: 14 years ago
Posts: 15
Topic starter  

Can you give me a dd expression to get the first partition?
Thanks


   
ReplyQuote
(@angrybadger)
Estimable Member
Joined: 18 years ago
Posts: 164
 

This is not the boot sector. This is the BPB normally found at sector 0x3F (XP) or 0x800 (Vista / Windows7) on an NTFS disk

The BPB is part of the Boot Sector (at block zero of each volume)


   
ReplyQuote
(@newbie13)
Active Member
Joined: 14 years ago
Posts: 15
Topic starter  

Can you please look at the MBR hex representation that I provided in the earlier response.

I used following first to get the block address and then got the hex
sigfind -o 510 -l AA55 diskimage.dd

dd if=diskimage.dd bs=512 skip=56 count=1 | xxd
(The hex from this is in previous reply)
This is kind of urgent so any help will be much appreciated


   
ReplyQuote
(@angrybadger)
Estimable Member
Joined: 18 years ago
Posts: 164
 

Can you please look at the MBR hex representation that I provided in the earlier response.

I used following first to get the block address and then got the hex
sigfind -o 510 -l AA55 diskimage.dd

dd if=diskimage.dd bs=512 skip=56 count=1 | xxd
(The hex from this is in previous reply)
This is kind of urgent so any help will be much appreciated

dd if=<infile> of=<outfile> skip=<boot sector offset> count=<total sectors>

You need to read the total sectors from the boot sector (a 64 bit int at offset 0x28).

In the one you posted here it reads as 511503.


   
ReplyQuote
(@newbie13)
Active Member
Joined: 14 years ago
Posts: 15
Topic starter  

I didnt get it(
Total sectors on the disk = 498015

How do I extract the partition? can you please give me exact dd expression with values for skip and count filled in, based on what I gave. If u need any other info, please do let me know.

I apologize for not understanding this, very new to the biz(


   
ReplyQuote
(@angrybadger)
Estimable Member
Joined: 18 years ago
Posts: 164
 

I didnt get it(
Total sectors on the disk = 498015

How do I extract the partition? can you please give me exact dd expression with values for skip and count filled in, based on what I gave. If u need any other info, please do let me know.

I apologize for not understanding this, very new to the biz(

where did you get that value from ?


   
ReplyQuote
(@newbie13)
Active Member
Joined: 14 years ago
Posts: 15
Topic starter  

I put in the values for no of cylinders, etc. to calculate the total no of sectors.


   
ReplyQuote
(@angrybadger)
Estimable Member
Joined: 18 years ago
Posts: 164
 

I put in the values for no of cylinders, etc. to calculate the total no of sectors.

stop using sigfind its a painful way to do things.

This is how I do it when I'm rebuilding a partition table. I've done a few.

10 Load image into a hex editor
20 scan up the disk looking for sectors beginning with strings like NTFS, FAT or FAT32 at the start (or failing that 0x55AA at the end) you should (hopefully) see one at about 63.
30 analyse the boot sector according to its type. If its NTFS use the offsets in the link I gave earlier, if FAT then this will do http//www.easeus.com/resource/fat32-disk-structure.htm
40 read the number of sectors using the data from the boot sector
50 using the start offset from 20 and the volume size from 40 mount the file system.
60 Extract the files
70 add the volume size to the partition offset to get an idea of where the next volume is.
80 If not at the end of the disk THEN GOTO 20

What OS are working in ?


   
ReplyQuote
(@newbie13)
Active Member
Joined: 14 years ago
Posts: 15
Topic starter  

I am working on Backtrack (linux) And I have to use dd and other tools to extract the partition. So above wont work for me(

Also I am looking for an understanding of what the first 512 bytes of boot sector for NTFS entails.

Thank you)


   
ReplyQuote
(@angrybadger)
Estimable Member
Joined: 18 years ago
Posts: 164
 

I am working on Backtrack (linux) And I have to use dd and other tools to extract the partition. So above wont work for me(

Also I am looking for an understanding of what the first 512 bytes of boot sector for NTFS entails.

Thank you)

http//www.ntfs.com/ntfs-partition-boot-sector.htm


   
ReplyQuote
Page 2 / 3
Share: