Folks,
I am examining a suspect PC at the moment which is causing me to scratch my head a bit. When the image of the boot drive is imported into Encase it all looks great. There is a System Reserved partition and a main OS partition. Encase happily plays with the data and I can poke around as usual. FTK Imager will mount it and windows will see it mounted.
When I imported the images into X-Ways however I started to run into an issue. X-Ways loads the partitions and correctly lists file structure etc. however the partitions show up as "deleted".
This caused me to have a harder look at the MBR/partition table. My examination showed the Boot Indicator (Partition Status in Encase parlance) had a value of 0x81 for the System Reserved partition.
Every reference I can find bar one (Including Harlan's) indicates the Boot Indicator can only be 0x00 (default) or 0x80 (bootable/active). The one exception I found to this was a very old reference to manually repairing Wind 95 MBRs which said 0x80 or above for bootable and this source didn't seem very authoritative or trustworthy wink .
The drive is a 2TB Seagate with Windows 7 Ultimate SP1, NTFS for both partitions. When we first encountered the PC it was live, so I know the machine boots (or at least did boot).
I don't really want to build a bunch of Ultimate SP1 installs to see if it happens often or not, but it's looking that way at the moment.
Has anyone come across the 0x81 boot indicator before? Any way to explain it? (It's not a deal breaker if I can't, I just really don't like unanswered questions).
Cheers,
Chris
Hi Chris,
I think 0x81 identifies the second bootable device for the BIOS.
http//
I had no time to check though, can someone confirm that ?
Every reference I can find bar one (Including Harlan's) indicates the Boot Indicator can only be 0x00 (default) or 0x80 (bootable/active).
Can you provide a reference to where Harlan has stated that the Boot Indicator values _can only be_ 0x00 or 0x80?
Thanks.
Can you provide a reference to where Harlan has stated that the Boot Indicator values _can only be_ 0x00 or 0x80?
Thanks.
Lol, brain fart, getting old. Brian Carrier not Harlan. My bad, sorry Harlan oops
PS. Carrier - File System Forensic Analysis p89 wink "The bootable flag is not always necessary. The standard boot code for a system with only one OS looks for an entry whose flag is set to 0x80". Not definitive I know, but all I could find.
cedricpernet - thanks for that, a good read. The problem with that one is it is their own bios and boot code, so there is no guarantee it's the same for normal systems.
Cheers,
Chris
Any way to explain it?
First thing is to examine the MBR boot code – does it do something special with 0x80?
Old boot code ensured you had 0x80 or 0x00 – anything else caused an 'illegal partition table' error. Modern code is a bit more tricky – the standard Win7 boot code (as listed on the starman site) looks as if 8th bith set would trigger a boot attempt.
But that may be irrelevant – it's what *your* bootcode does matters. Is it standard boot code or not, as produced by Win7 or Vista or 2k/XP or … ? Should be easy enough to check.
PS. Carrier - File System Forensic Analysis p89 wink "The bootable flag is not always necessary. The standard boot code for a system with only one OS looks for an entry whose flag is set to 0x80". Not definitive I know, but all I could find.
That still doesn't say that the value can only be 0x00 or 0x80…
That particular value is a "legacy" remainder.
In the "old times" disks had a number (they still have in the BIOS)
0x80 128 first disk
0x81 129 second disk
….
BUT the ONLY way to boot DOS was from first hard disk, active partition.
AND the *only* possibility was to have a single primary partition (and at the most a single extended one) on each disk.
Thus 0x80 used to mean "Active partition on first disk" = "actual boot partition" and later became synonym of "Active partition on *any* disk").
Mind you that the same value 0x80 is in the bootsector
http//
No idea how/why/by what the 0x81 was set in your case, though.
jaclaz