Forgive me if this is a dumb question ? , but I am new to disk forensics. I have dd'd a number of drives without issues and looked at MBRs a number of times, but I have a drive now that I can't seem to find the MBR on. When I grab the first sector I have what appears to be an NTFS partition (e.g. it starts with ëRNTFS or EB52904E544653 and byte 446 contains some NTFS stuff instead of the expected MBR). I tried it several times and keep getting the same thing. This tells me that I am misunderstanding something fundamental, but after a good batch of googling and re-reading Carrier I still can't figure out where I wrong. Would someone have the patience to point me in the right direction? Thanks!
Some devices (typically memory sticks) do not have an MBR, just the partition header. It means it is a single partition drive. Not common with NTFS though.
This can also sometimes happen if you DD a logical partition, eg Drive J, rather than a physical drive
Thanks, it turns out that I am not losing my mind. My DD captures are indeed just grabbing the logical partition - I don't know why, but back to google. In the mean time FTK Imager is filling the void.
Thanks, it turns out that I am not losing my mind. My DD captures are indeed just grabbing the logical partition - I don't know why, but back to google. In the mean time FTK Imager is filling the void.
Which EXACT dd version are you using?
Under which OS?
Which EXACT command line did you use?
jaclaz
Sounds very likely you're doing if=/dev/sda1 instead of if=/dev/sda
(or hda1 instead of hda etc)
Sounds very likely you're doing if=/dev/sda1 instead of if=/dev/sda
(or hda1 instead of hda etc)
Yes, of course - thanks! A mental glitch and I swicthed commands last week without thinking. Just when you think you are learning something there is a 'newbie' mistake waiting to be made!