I initially posted this in the Open Source forum but since many members don't use open source I thought I might get an answer in the General Discussion
Greetings all! Has anyone seen Windows XP actually mount and attempt to run, and (most importantly) modify a boot sector of a dd image? Just curious because it just happened to me… twice. There is a Dell FAT partition on the front of the dd images, the images were put in their own directory in the root, and when I fired up the external hdd caddy XP apparently went out and touched the FAT util trying to auto-run the dd from it's boot sectors? I swear it. Happened twice on the same machine. Well that machine is no longer doing exams and the dd's didn't contain evidence but just wondering if anyone's every seen this… thanks.
Mikeypopo,
I've seen your posts in other locations, and I can't help but think that there's something more to the story…something else happened that isn't being listed here.
H
I'm not aware of a Windows installation ever looking past sector 0 for the MBR, but I guess it's possible. Wonder if there's a registry setting that allows the MBR to be anywhere…
A
A,
What about of a dd image?
Harlan,
It was the darnest thing. It was a dd. I'll give you ALL the parameters of the situation
Used Imager in XP to put 3 HDD copies as dd's in their own separate dirs on the root. When completed I confirmed a file structure with that machine and reverified hash. Took storage HDD (SATA) back to the lab & hooked up to exam machine via a firewire/cradle. XP turned into molasses and I couldn't see the drive. I had to force it open with Manager. I noticed in Manager it indicated it was healthy, and formatted but unpartitioned.
After a week of B.S. I finally recovered the images but the first one - first one imaged and incidentally the first alphabetically didn't match. The other two hashes confirmed. I looked at them and realized each target machine had a Dell FAT and an NTFS (identical machines, service tag #'s were very close & the Fujitsu HDD's were from the same batch.) So I did it again and kept a close eye on that FAT. It's hash changed. The NTFS didn't and of course neither did the last 2 images. I have used the same process hundreds of time and never got that response. All I can think is to blame the machine and move on?
Harlan,
Well, keep in mind that if you have a dd image, it won't start at sector 0. It is simply a regular file on the filesystem on which it was created. So it will start wherever the filesystem has allocated space for it, but certainly not at sector 0.
A
AC,
I'm well aware of that, but that explanation doesn't really do much to address Mikeypopo's original question.
Mikey,
Are you sure that XP attempted to run the first FAT? There are a lot of things that could account for sluggish performance, as well as modification of the FAT (ie, changing the MD5 hash). Do you have anti-virus on the system? Was it running at the time? If not, have you scanned the system for malware of any kind?
H
Yea, I thought of that but virus SW is off on all exam machines. If it is run it's applied in a write protected environment. All I can infer is that it "touched" the FAT since it's hash changed - the NTFS didn't. What else would account for sluggishness? I'm stumped on this one but at least I could sort of isolate the behavior and hopefully keep it from happening. I asked some folks at the CyberCrime Summit in Atlanta a few weeks ago and of course they all either (1) said I'm lying and trying to start "trouble" with dd images ) or (2) am an idiot. Oh well, just curious.
H,
Glad to know you're so smart.
Mikey,
It may be a BIOS thing now that I think about it. The BIOS would be the place that would search for a MBR and could possibly find one on the dd image. You might try resetting the BIOS to the original settings - or upgrading.
A
AC,
"Glad to know you're so smart."
Good point…I'm not. If I was, I would have understood what you were saying a bit better, in the context of the thread.
Sorry.