It may be a BIOS thing now that I think about it.
I think it unlikely to be the BIOS, the BIOS will search for physical disks then read the MBR discover the active partition and load the boot loader. The BIOS can not know about the dd image at this point as it is not aware of any logical file system.
echo6…
Again, I'm not a bright guy, but that was my thinking, as well…
H
Greetings all! Has anyone seen Windows XP actually mount and attempt to run, and (most importantly) modify a boot sector of a dd image?
No. XP will never "mount" or even try to mount a dd image. Even if you would like to do so you would need to install some kind of additional software, XP itself can't do it.
There is a Dell FAT partition on the front of the dd images, the images were put in their own directory in the root
What does that mean ? When you say "Dell Fat Partition" does that mean that it is some special recovery partition (a non standard partition type which is not recognized by XP) ? Can you post the partition table ?
…and when I fired up the external hdd caddy XP apparently went out and touched the FAT util trying to auto-run the dd from it's boot sectors?
What does it mean "touched the fat" ? What exactly was changed ? How did you notice that ?
Chris,
By default, most Dell systems (even PowerEdge servers, not just laptops and desktops) arrive with a small FAT partition that is essentially the Dell maintenance partition. Unfortunately, many folks that perform forensic analysis don't seem to be aware of this, and either don't know how to refer to it, or think that the system has been hacked in some way.
As far as "touching the FAT" (kind in nasty, if you ask me) goes, I do know that when I plug an external HDD into my system, I will get a dialog prompting me with for an action…the next time I see it, I'll get the window title. However, every time I see it, I simply cancel it.
Maybe this is what Mikey is referring to. To me, it still doesn't make sense that XP (which is already a booted operating system) would try to access the boot sector of a dd image and try to run (essentially, boot) it. As others have said, a dd image is just a file.
H
Thanks for all the responses! Isnt a dd just a bit-for-bit copy cut up into pieces? I ran get data back against the drive (because there was nothing actually in the root) and if found the mft - i could see it reading off the image names in the entries in the table but when it got to their physical location it started recovering the actual files on each image. like there were no actual dd files present.
I've had a similar occurrence a few months back. Two completely separate things.
1. Sluggish response - Do you by default have file indexing turned on? Usually on by default in XP! I plugged in a new USB drive loaded with data and it became sluggish.
2. Sluggish and changing of the fat partition in first DD image – I think you may have several bad sectors or tracks in the area of the Fat partition of the first DD image. This would account for very sluggish behaviour (disk read retry's and timeouts) and also this would account for the md5sum value changing.
Try using dd to copy the first image using 1k blocks. You should be able to see the drive timeouts on the screen. SATA drives might automatically remap the bad sectors,tracks. So it is unlikely to reoccur. I've not
Just some possible ideas.
DD is a bit-for-bit copy! I do not understand your "cut up into pieces" reference! Various utitlities can create a DD image format - so to speak! Often DD images are broken up into sections for writing to CD (650mg) or DVD (4.8gig), 2gig, etc…
Chris,
By default, most Dell systems (even PowerEdge servers, not just laptops and desktops) arrive with a small FAT partition that is essentially the Dell maintenance partition.
I've seen these kind of partitions on IBM-machines but was not sure if it's the same with DELL.
As far as "touching the FAT" (kind in nasty, if you ask me) goes, I do know that when I plug an external HDD into my system, I will get a dialog prompting me with for an action…the next time I see it, I'll get the window title. However, every time I see it, I simply cancel it.
That's the behavior of the Autoplay (not Autorun !) feature of Windows. Detailed explanantion
If you want to disable it completely edit the registry (BTW according to
Key HKEY_Current_User\Software\Microsoft\Windows\Current Version\Policies\Explorer\\NoDriveTypeAutorun
Value REG_DWORD 0xFD
If you want to prevent autoplay only for a specific component see
az_gfca,
I am sorry this happened to you but I am relived it's not my procedures. The "cut into pieces" - yea, it was 4.8 gig sections. And Chris, grat idea - from now on reg will be edited on all forensic machines. Thanks guys!