Hi guys,
I have found evidence for a hidden FAT16 Partition in EnCase which I am trying to mount.
I have never had to do this before so some assistance would be great.
Thanks in advance,
Dan
That looks like encase, if i recall you just right click and select "add partition". Ill have to check on tuesday when I'm back at work.
googling "recover a deleted partition in encase" comes back with this book http//
which pretty much says the same thing
Find that sector in Disk View, right click, and select Add Partition. If my memory serves me correctly.
Click into the hex, where the FAT16 markup is. Add partition, 0 offset/sectors before in the Add partition menu.. EnCase will calculate the partition for you and create.
I cannot see enough from your dump, or the location on the disk to be clear with what you are displaying.
Does the data start on a sector boundary - it is always easiest to display offsets in Hex, and that way a multiple of 0x200 will be clear.
It could be just a copy of a FAT16 partition header which is used by the operating system to help format a disk. If the data does not start on a 0x200 boundary, it is likely to be the copy of data, rather than an active header.
To see if a real header, look if the pointers point to a FAT and root directory
It's the forum preview that makes the image not readable.
Opening it in a new page it becomes sharper/bigger and thus readable.
But without the actual hex dump it is of course impossible to read the "dots".
The MSWIN4.0 and the IO.SYS and MSDOS.SYS "system files" are enough to say that it is a MS-DOS botable bootsector.
MSWIN4.0 should mean Windows 95 "A".
The "LHIDDEN" label is not however the "standard" one, which is "NO NAME".
As well the original Windows 95 bootsector, if memory serves me well, should also contain the name of the "third" system file "WINBOOT.SYS".
jaclaz