Quick Forensic Challenge
How can I possibly try to out-do the great diary Rob posted? I can't so I'm not even going to try.
Instead, and because it's been sl .. err, qu ... err ... not particularly eventful, not that we're superstitious or anything, here is a quick forensic challenge for everyone.
The first person to correctly identify this and tell me the three things that are wrong will win fame, fortune, the undying admiration of everyone who visits us and, best of all .. a ISC sticker! ;)
000000000 EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00
000000010 00 00 00 00 00 F8 00 00 01 00 01 00 00 00 00 00
000000020 00 00 00 00 80 00 80 00 FF FD FF 00 00 00 00 00
000000030 00 00 0C 00 00 00 00 00 DF FF 0F 00 00 00 00 00
000000040 F6 00 00 00 01 00 00 00 01 8A F4 BC D1 F4 BC FA
000000050 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB 68 C0 07
000000060 1F 1E 68 66 00 CB 88 16 0E 00 66 81 3E 03 00 4E
000000070 54 46 53 75 15 B4 41 BB AA 55 CD 13 72 0C 81 FB
000000080 55 AA 75 06 F7 C1 01 00 75 03 E9 D2 00 1E 83 EC
000000090 18 68 1A 00 B4 48 8A 16 0E 00 8B F4 16 1F CD 13
0000000A0 9F 83 C4 18 9E 58 1F 72 E1 3B 06 0B 00 75 DB A3
0000000B0 0F 00 C1 2E 0F 00 04 1E 5A 33 DB B9 00 20 2B C8
0000000C0 66 FF 06 11 00 03 16 0F 00 8E C2 FF 06 16 00 E8
0000000D0 40 00 2B C8 77 EF B8 00 BB CD 1A 66 23 C0 75 2D
0000000E0 66 81 FB 54 43 50 41 75 24 81 F9 02 01 72 1E 16
0000000F0 68 07 BB 16 68 70 0E 16 68 09 00 66 53 66 53 66
000000100 55 16 16 16 68 B8 01 66 61 0E 07 CD 1A E9 6A 01
000000110 90 90 66 60 1E 06 66 A1 11 00 66 03 06 1C 00 1E
000000120 66 68 00 00 00 00 66 50 06 53 68 01 00 68 10 00
000000130 B4 42 8A 16 0E 00 16 1F 8B F4 CD 13 66 59 5B 5A
000000140 66 59 66 59 1F 0F 82 16 00 66 FF 06 11 00 03 16
000000150 0F 00 8E C2 FF 0E 16 00 75 BC 07 1F 66 61 C3 A0
000000160 F8 01 E8 08 00 A0 FB 01 E8 02 00 EB FE B4 01 8B
000000170 F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10 EB F2 C3
000000180 0D 0A 41 20 64 69 73 6B 20 72 65 61 64 20 65 72
000000190 72 6F 72 20 6F 63 63 75 72 72 65 64 00 0D 0A 42
0000001A0 4F 4F 54 4D 47 52 20 69 73 20 6D 69 73 73 69 6E
0000001B0 67 00 0D 0A 42 4F 4F 54 4D 47 52 20 69 73 20 72
0000001C0 65 73 02 63 6F 6D 73 65 64 00 0D 0A 50 72 65 73
0000001D0 73 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74
0000001E0 6F 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00
0000001F0 00 00 00 00 00 00 00 00 80 9D B2 CA 00 00 00 00
UPDATE:
Surprisingly, we don't yet have a winner.
It is the first sector of a drive so the item have been identified properly, and AA 55h is indeed missing from the end of the sector, so two problems remain to be found.
Yes, you could just load it into EnCase or something similar and have it spit out results to you, but what fun would that be? :)
Hint: I know it says NTFS when you convert the hex to ASCII, but the question is what is wrong with this. Be specific.
UPDATE2: People are swirling around it. Several people have identified a problem between 0x1B0 and 0x1CF, and yes, it should correctly spell "compressed". One person went so far as to send what the correct Hex should be, but that's just the ASCII
What does the incorrect hex mean?
Both other problems can be found by examination of the hex values between 0x1B0 and 0x1CF.
The values at from 0x1F8 to 0x1FB were incorrect as a few people pointed out. Apparently I got a little carried away with the delete button when I was removing the end of MBR signature. :) This was not one of the errors I had intended on you finding so kudos to those who did!
Christopher Carboni - Handler On Duty - isc dot chris at gmail dot com
Comments
ebf0
Sep 23rd 2010
1 decade ago
MarcQ
Sep 23rd 2010
1 decade ago
MarcQ
Sep 23rd 2010
1 decade ago
BOOTMGR is missing
BOOTMGR is compressed
Press Ctrl+Alt+Del to restart
p4s0
Sep 23rd 2010
1 decade ago
ray
Sep 23rd 2010
1 decade ago
1) multiple os mbr problem
2) mbr sector hardware failure
3) rootkit on mbr
p4s0
Sep 23rd 2010
1 decade ago
ray
Sep 23rd 2010
1 decade ago
There appears to be some corruption starting around 0x1bf. Sectors per track seems odd as does the number of heads.
fs2
Sep 23rd 2010
1 decade ago
There is supposed to be something besides \x00's at 0000001F8
for example, 80 9d b2 ca 00 00 55 aa
-manichattan
manichattan
Sep 23rd 2010
1 decade ago
so it becomes,
cli
xor bx, bx
rcl ax, cl
instead of,
cli
xor ax, ax
mov ss, ax
this leaves 3 registers to be unknown,
1. ss is unknown (we want it zeroed, so that Stack Pointer would be 0000:7C00)
2. ax (al)
3. cf (rcl affects carry flag)
neox.fx
Sep 23rd 2010
1 decade ago