Noob at forensics. Question about MBR and the sart of a sector

General Discussion

Last Post by tom 2 years ago

3 Posts

2 Users

0 Likes

824 Views

RSS

tom

(@tom)

Posts: 2

New Member

Topic starter

Good day am new here and at forensics.

I'm looking at a hex dump of the MBR and EDR but at a loss please some assistance 😉

Just got two questions how can i determine if a hex dump of the MBR is in little endian or in big endian?

Second how can i tell what is the start of a partition the second after the first at 0xBE

regards

Posted : 31/10/2020 1:05 pm

jaclaz

(@jaclaz)

Posts: 5133

Illustrious Member

Easy way?

Get good ol' tiny hexer:

https://www.softpedia.com/get/Others/Miscellaneous/tiny-hexer.shtml

AND (shameless plug) my MBR template/Structure Viewer.

http://reboot.pro/topic/8734-tiny-hexer-scripts/

MBR's are little endian, (the data), with - possibly - the exception of the Disk Signature that - depending on the tools in use is interpreted either as a number (little endian) or as a sequence of bytes.

What do you mean by EDR?

jaclaz

Posted : 01/11/2020 10:05 am

tom

(@tom)

Posts: 2

New Member

Topic starter

@jaclaz thank you!

I will return with yet another question 😉

Posted : 02/11/2020 7:57 am

12 Forums
15.3 K Topics
91.6 K Posts
10 Online
39.3 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed