Hi all,
I have a very odd scenario that I would like to determine the cause of. I work in forensics but this one doesn't require any forensic service.
I have been recovering a customers drive and the recovery has severe media damage. The drive has two partitions, an NTFS Compaq Diagnostic partition that is 6GB in the front of the drive and a second partition that is the boot partition of the drive. I was only recently able to recover the boot sector of the second NTFS partition.
As soon as I was able to recover the boot sector of the second partition the drive crashes every system I connect it to. It doesn't matter if I cold boot, warm, through write-blocker or any other method. It crashes everything. There is nothing wrong with the target drive. Additionally, every time that I write over the boot sector that causes me this trouble, it stops crashing the systems. I have analyzed the sector and I don't see anything out of the ordinary.
Maybe someone can look at the sector and see if they notice anything out of the ordinary that I've missed. Or at the very least post any experiences with this type of behavior. I know it's something Windows is doing (I haven't wasted time booting into Linux because the data recovery is going fine).
I realize this is a horrible way to post this so if someone has another suggestion (PM, another place to host it) I'm willing to do whatever.
Thanks
Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
00000000 EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00
00000016 00 00 00 00 00 F8 00 00 3F 00 FF 00 10 2F C0 00
00000032 00 00 00 00 80 00 80 00 B0 08 39 0D 00 00 00 00
00000048 00 00 0C 00 00 00 00 00 67 11 27 00 00 00 00 00
00000064 F6 00 00 00 01 00 00 00 B0 C4 9C B0 FB 9C B0 34
00000080 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07
00000096 8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00
00000112 10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4
00000128 08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66
00000144 0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F
00000160 B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A
00000176 16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01
00000192 74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66
00000208 03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A
00000224 00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00
00000240 0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00
00000256 B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07
00000272 66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00
00000288 66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36
00000304 1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8
00000320 01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66
00000336 FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61
00000352 C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE
00000368 B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10
00000384 EB F2 C3 0D 0A 41 20 64 69 73 6B 20 72 65 61 64
00000400 20 65 72 72 6F 72 20 6F 63 63 75 72 72 65 64 00
00000416 0D 0A 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69
00000432 6E 67 00 0D 0A 4E 54 4C 44 52 20 69 73 20 63 6F
00000448 6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73 73
00000464 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 6F
00000480 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 00
00000496 00 00 00 00 00 00 00 00 83 A0 B3 C9 00 00 55 AA
Offset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
00000000 EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00
00000016 00 00 00 00 00 F8 00 00 3F 00 FF 00 10 2F C0 00
00000032 00 00 00 00 80 00 80 00 B0 08 39 0D 00 00 00 00
00000048 00 00 0C 00 00 00 00 00 67 11 27 00 00 00 00 00
00000064 F6 00 00 00 01 00 00 00 B0 C4 9C B0 FB 9C B0 34
00000080 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07
00000096 8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00
00000112 10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4
00000128 08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66
00000144 0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F
00000160 B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A
00000176 16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01
00000192 74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66
00000208 03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A
00000224 00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00
00000240 0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00
00000256 B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07
00000272 66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00
00000288 66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36
00000304 1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8
00000320 01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66
00000336 FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61
00000352 C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE
00000368 B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10
00000384 EB F2 C3 0D 0A 41 20 64 69 73 6B 20 72 65 61 64
00000400 20 65 72 72 6F 72 20 6F 63 63 75 72 72 65 64 00
00000416 0D 0A 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69
00000432 6E 67 00 0D 0A 4E 54 4C 44 52 20 69 73 20 63 6F
00000448 6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73 73
00000464 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 6F
00000480 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 00
00000496 00 00 00 00 00 00 00 00 83 A0 B3 C9 00 00 55 AA
No idea, but a wee bit more legible. 😉
Thanks for doing that! Care to give me the secret so that I don't have to go around with posts like that?
I was gonna take a screen shot of it in WinHex and then just post it as an image but I wasn't sure if that was any good or not.
either way I really appreciate it.
The better place to look is at the crash information..
Do you have a minidmp from the crash? PM me offline, if you've got a minidmp I can take a look at that and give you some information.
If you can share the Master Boot Record and the Partition Boot Record as a dd-file perhaps it's possible to do some tests (and it would be easier to analyze it)
Thanks for doing that! Care to give me the secret so that I don't have to go around with posts like that?
Sure, that particular secret is the use of blocks. ( No spaces between brackets - inserted here so they don't parse. )
Other secrets can be found at http//www.forensicfocus.com/index.php?name=Forums&file=faq&mode=bbcode
D
Any more info on what stage it crashes at and wha, if any messages you get?
The better place to look is at the crash information..
Do you have a minidmp from the crash? PM me offline, if you've got a minidmp I can take a look at that and give you some information.
I will try to get the minidmp from the system that it crashed. If not I'll just recreate the scenario.
@ chris2792 I might be able to get this done today. If I can I will be sure to post it.
@ azrael - Thanks again. I'll be sure to use that method from now on.
@ j2222 - Using WinHex I write the bad sector to the drive in the correct LBA specified by the MBR. Almost instantly it crashes. No messages. Nothing. Then the system reboots over and over never booting again until the drive is detached from the system. Even through a write blocker it still crashes the system.
I know it's just that single sector that causes the whole crash. I just have never seen a single sector crash system consistently when it appears to be intact.
So I checked for a minidump yesterday but there's only one on the system and it's from July. So no minidump. I can get the MBR in addition to the boot sector up on the site.
Your sector size is 512. Bytes 11 + 12 (00 20) = 200h = 512.
Your sectors per cluster = 8. Byte 13.
Your MFT offset is cluster 786432.
I suspect this boot sector is actually valid, and that you need to look elsewhere to find the cause to the crash - such as the MFT.