{
    "id": "917d247c-e2f7-4f71-ab53-dd3a211a121f",
    "name": "Recovering a Corrupted Disk - MBR Case",
    "slug": "recovering-a-corrupted-disk-mbr-case",
    "status": "published",
    "lab_type": "pta",
    "is_sample": false,
    "duration_in_seconds": 1800,
    "metadata": {
        "courses": [
            "225b7429-bd2e-433e-9168-318d861e97cf"
        ],
        "pta_sdn": "794",
        "pta_namespace": "my.ine",
        "learning_paths": [],
        "has_published_parent": true
    },
    "session": null,
    "company": "a491bc32-c056-4946-9169-cc053387bada",
    "created": "2023-03-10T20:58:06.538575Z",
    "modified": "2024-04-30T14:43:40.561617Z",
    "is_beta": false,
    "lab_objectives": [],
    "main_learning_area": null,
    "learning_areas": [
        {
            "id": "3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa",
            "name": "Cyber Security",
            "slug": "cyber-security"
        }
    ],
    "categories": [],
    "tags": [],
    "difficulty": null,
    "is_web_access": false,
    "is_lab_experience": false,
    "is_featured": false,
    "cve": null,
    "severity": null,
    "year": null,
    "classification": null,
    "external_url": "",
    "solution_video": null,
    "explanation_video": null,
    "description": "## Scenario\nThe Kids Greenland Garden (KGG) is a place where parents take their kids to play in its wonderful green gardens. There were a lot of complaints about Mr.X, the KGG gardener. An official dispute was filed by one of the parents (Sally) when she was positive that something weird was going on by Mr.X and it was time to put an end to it. The police were informed, and a team of first responders was sent to the garden. The day before Sally filed an official dispute, she confronted Mr.X about his weird activity, and that he is doing something wrong. Because of that, what Mr.X did, was ruin his disk drives so he can cover whatever data he is hiding on his disks.\n\nIn this case, you are required to understand the disk partition schema and recover if any of the disks on Mr.X's machine were corrupted.\n\n## Goals\n- Recover disks that have a corrupted partition table\n- Understand how to parse MBR partition tables\n- Locate hidden partitions\n\n## What you will learn\n- Grasp how disks are partitioned and structured\n- Ability to manually parse a disk using an MBR partition scheme\n\n## Recommended tools\nHex Workshop, FTK Imager or Disk Editor",
    "description_html": "<h2>Scenario</h2>\n<p>The Kids Greenland Garden (KGG) is a place where parents take their kids to play in its wonderful green gardens. There were a lot of complaints about Mr.X, the KGG gardener. An official dispute was filed by one of the parents (Sally) when she was positive that something weird was going on by Mr.X and it was time to put an end to it. The police were informed, and a team of first responders was sent to the garden. The day before Sally filed an official dispute, she confronted Mr.X about his weird activity, and that he is doing something wrong. Because of that, what Mr.X did, was ruin his disk drives so he can cover whatever data he is hiding on his disks.</p>\n<p>In this case, you are required to understand the disk partition schema and recover if any of the disks on Mr.X's machine were corrupted.</p>\n<h2>Goals</h2>\n<ul>\n<li>Recover disks that have a corrupted partition table</li>\n<li>Understand how to parse MBR partition tables</li>\n<li>Locate hidden partitions</li>\n</ul>\n<h2>What you will learn</h2>\n<ul>\n<li>Grasp how disks are partitioned and structured</li>\n<li>Ability to manually parse a disk using an MBR partition scheme</li>\n</ul>\n<h2>Recommended tools</h2>\n<p>Hex Workshop, FTK Imager or Disk Editor</p>",
    "tasks": "## Tasks\n\n### Task 1: Recovering a Corrupted Disk\nMr.X corrupted his disk before you managed to issue a warrant and acquire his media for investigation. You need to restore the disk to a fully working state to proceed with your investigation.\n\nYou can find the forensic image at C:\\DFP\\Labs\\Module04\\Lab7\\Lab7.001 .\n\nLook at the end of the first sector, which is the sector of the MBR. We are supposed to find an end of sector marker or sector signature which should hold some specific bytes. Are those specific bytes there?\n\n### Task 2: Analyzing The MBR\nNow after you managed to recover the acquired disk, you need to analyze the Master Boot Record (MBR) for the disk, and answer the following:\n* How many partitions are in this disk?\n* Which partition if any, is marked as bootable?\n* For each partition found, identify the following:\n  * Starting Sector (or First LBA)\n  * No. of sectors in partition\n  * Partition Size\n  * Partition Type\n\nA variety of forensic tools in c:\\DFP\\Tools\\Disks will help you answer the questions above.",
    "tasks_html": "<h2>Tasks</h2>\n<h3>Task 1: Recovering a Corrupted Disk</h3>\n<p>Mr.X corrupted his disk before you managed to issue a warrant and acquire his media for investigation. You need to restore the disk to a fully working state to proceed with your investigation.</p>\n<p>You can find the forensic image at C:\\DFP\\Labs\\Module04\\Lab7\\Lab7.001 .</p>\n<p>Look at the end of the first sector, which is the sector of the MBR. We are supposed to find an end of sector marker or sector signature which should hold some specific bytes. Are those specific bytes there?</p>\n<h3>Task 2: Analyzing The MBR</h3>\n<p>Now after you managed to recover the acquired disk, you need to analyze the Master Boot Record (MBR) for the disk, and answer the following:\n* How many partitions are in this disk?\n* Which partition if any, is marked as bootable?\n* For each partition found, identify the following:\n  * Starting Sector (or First LBA)\n  * No. of sectors in partition\n  * Partition Size\n  * Partition Type</p>\n<p>A variety of forensic tools in c:\\DFP\\Tools\\Disks will help you answer the questions above.</p>",
    "published_date": "2020-10-20T15:32:26Z",
    "solutions": "## SOLUTIONS\n\n### Task 1: Recovering a Corrupted Disk\nWe are going to use Hex Workshop to solve this case, but feel free to use any hexadecimal editor that you like.\n\n[Analysis:]\n\nFirst, open the forensic image \"[Lab7.001]\" file [located at C:\\DFP\\Labs\\Module04\\Lab7\\Lab7.001] using Hex Workshop. You will see something similar to the below:\n\n![Partition With a Bad Sector](https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/partitions_badsector.jpg)\n\nUsing FTK Imager, observe that it is only able to show you the raw physical disk space. It is unable to interpret the Master Boot Record (MBR), and display the partitions.\n\n![No partitions identified in FTK imager](https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/ftkimager_nopartitions.jpg)\n\nTake a moment, review the hexadecimal data in the boot record and MBR. Can you see the problem?\n\nIf you look at the end of the first sector, which is the sector of the MBR, we are supposed to find an end of sector marker or sector signature which should hold the bytes 55 AA in hexadecimal.\n\nWhat you see is that instead it is hexadecimal DF DF as we see in the figure above.\n\n[DIY:] By the way, I recommend you check it with another tool as well, just to make sure that it truly cannot identify the disk. In forensics, we always verify.\n\n[Solution:]\n\nSo, what we need to do now, is change those two bytes back to 55 AA and save the disk (for example Lab7-SOL.001).\n\nWe cannot edit images in FTK Imager, but you can in Hex Workshop. Open the image in Hex Workshop\n\nFirst things first, Hex Workshop's display is defaulted to sizing the hexadecimal view to the window size. Resize the Hexadecimal view to show 16 byte rows, by showing columns 0-F (remember we are in hexadecimal!). You can do this by dragging the line between the hex and ASCII data left or right. See image below.\n\nVerify that you see hex DF DF at the end of the sector.\n\nYou now should be looking at row offeset 1FO and column E. Click the first bit \"D\" at offset 0x1E, and then type 55AA (no spaces). If you do this you should see 55 AA in red, ending the row.\n\n![Fixed Partitions](https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/partitionfixed.jpg)\n\nUsing \"Save As\" save this image file as a new image file. Remeber we never want to alter the original evidence, and you want to document the steps you took to do this and why,\n\nNow If what you did was done properly, you should be able to open the newly created disk image in FTK Imager and it should interpret the partitions correctly.\n\n![Partitions Now Found](https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/ftkpartitions.jpg)\n\nSo that's it, we managed to recover the disk that Mr.X corrupted by modifying those two bytes on his disk. This proves that digital forensics tools won't be able to identify the disk without those two bytes found at the end of the sector. By the way, I recommend you check it using FTK Imager for example too, just to make sure that it truly cannot identify the disk.\n\nThis type of corruption is not very common, but if you do encouter problems always check for the 55 AA, then begin checking for errors in the partition table it self. You can always compare them to the Volume Boot Record and see if they match up.\n\n### Task 2: Analyzing The MBR\nNow since we managed to recover the corrupted disk, I believe answering the questions below won't be a big problem. Let us move on and answer each one of them.\n\n1. How many partitions are in this disk?\nWe found that the disk has four partitions, and we have proof that could be seen in the figure below:\n\n![Partition displayed](https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/ftkpartitions.jpg)\n\nWhich partition if any, is marked as bootable?\nNow to answer this question, we need to check the Boot Code in the MBR entries of the disk. Let's use FTK Imager to review them. You need to check for the active partition to see if any are marked as bootable. Refering to highlighted partitions in this images MBR.\n\n![MBR](https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/partitions_badsector.jpg)\n\nThe boot code is indicated in the first byte in byte of each partition. An active partition will have the status set to 0x80. A non-bootable partition will be set to 0x00\n\nIf we review each partition, refering to the above figure, you will find that all of them are non-bootable partitions.\n\nSo, the answer is there are no bootable partitions on this disk.\n\nLet us move on to the final question.\n\n1. For each partition found, identify the following:\n  a. Starting Sector (or First LBA)\n  b. No. of sectors in partition\n  c. Partition Size\n  d. Partition Type \n\nYou can answer these questions using different techniques, let's use FTK Imager.\n\nFrom the first question, we found that there are four partitions, so let us interpret each one of them. Click on the first partition. Then in the details pane, click on properties. The first partition and its details are below:\n\n![Partition 1 Properties](https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/partition1properties.jpg)\n\nOur answers would be:\n  a. Starting Sector (or First LBA) = 128\n  b. No. of sectors in partition = 1024000\n  c. Partition Size = (No. of sectors) X (size of sector)\n\n```\n= 1024000 X 512\n= 524288000 Bytes\n= 500 Megabytes\n```\nIs this equal to you expected result? Compare you calculated size to your expected size in the Evidence Tree. Now this is forensics!\n\n  d. Partition Type = 07 which means we have an NTFS partition.\n\n![NTFS identified](https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/FTKntfsPart.jpg)\n\n[Click here for more information on partitions](http://www.tldp.org/HOWTO/Partition-Mass-Storage-Definitions-Naming-HOWTO/x190.html)\n\nUsing the previous directions as a guide, can you determine the remaining partitions?\n\nOur answers would be:\n  a. Starting Sector (or First LBA) = 1024128\n  b. No. of sectors in partition = 512000\n  c. Partition Size = (No. of sectors) X (size of sector)\n\n```\n= 512000 X 512\n= 262144000 Bytes\n= 250 Megabytes\n```\n\n  d. Partition Type = 0B which means we have a FAT32 partition.\n\nOn to the third partition, we find the details below:\n\nOur answers would be:\n  a. Starting Sector (or First LBA) = 1536128\n  b. No. of sectors in partition = 512000\n  c. Partition Size = (No. of sectors) X (size of sector)\n\n```\n= 512000 X 512\n= 262144000 Bytes\n= 250 Megabytes\n```\n\n  d. Partition Type = 0C which also refers to a partition with FAT32.\n\nAnd finally, the fourth partition we find the details below:\n\nOur answers would be:\n  a. Starting Sector (or First LBA) = 2048128\n  b. No. of sectors in partition = 2142208\n  c. Partition Size = (No. of sectors) X (size of sector)\n\n```\n= 2142208 X 512\n= 1096810496 Bytes\n= 1046 Megabytes\n```\n\n  d. Partition Type = 05 which means we have an Extended partition type holding a NTFS file system.\n\nTo better summarize our results and add them to a report in the future, I'm going to create a table and add the final results to the table below:\n\n|Partition|Starting Sector (First LBA)|Number of Sectors|Partition Size in Bytes|Partition Type|\n|---------|---------------------------|-----------------|-----------------------|--------------|\n|First|128|102400|524288000|NTFS|\n|Second|1024128|512000|262144000|FAT32|\n|Third|1536128|512000|262144000|FAT32|\n|Fourth|2048128|2142208|1096810496|NTFS|\n\n[DIY]: I highly recommend you verify these results we obtained using another tool.\n\n(Here is a great reference to bookmark from our friends at Invoke-ir.com)[http://www.invoke-ir.com/2015/05/ontheforensictrail-part2.html]\n\nPartition Type Information:\n\n[http://www.tldp.org/HOWTO/Partition-Mass-Storage-Definitions-Naming-HOWTO/x190.html](http://www.tldp.org/HOWTO/Partition-Mass-Storage-Definitions-Naming-HOWTO/x190.html)\n\n[https://en.wikipedia.org/wiki/Partition_type](https://en.wikipedia.org/wiki/Partition_type)",
    "solutions_html": "<h2>SOLUTIONS</h2>\n<h3>Task 1: Recovering a Corrupted Disk</h3>\n<p>We are going to use Hex Workshop to solve this case, but feel free to use any hexadecimal editor that you like.</p>\n<p>[Analysis:]</p>\n<p>First, open the forensic image \"[Lab7.001]\" file [located at C:\\DFP\\Labs\\Module04\\Lab7\\Lab7.001] using Hex Workshop. You will see something similar to the below:</p>\n<p><img alt=\"Partition With a Bad Sector\" src=\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/partitions_badsector.jpg\" /></p>\n<p>Using FTK Imager, observe that it is only able to show you the raw physical disk space. It is unable to interpret the Master Boot Record (MBR), and display the partitions.</p>\n<p><img alt=\"No partitions identified in FTK imager\" src=\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/ftkimager_nopartitions.jpg\" /></p>\n<p>Take a moment, review the hexadecimal data in the boot record and MBR. Can you see the problem?</p>\n<p>If you look at the end of the first sector, which is the sector of the MBR, we are supposed to find an end of sector marker or sector signature which should hold the bytes 55 AA in hexadecimal.</p>\n<p>What you see is that instead it is hexadecimal DF DF as we see in the figure above.</p>\n<p>[DIY:] By the way, I recommend you check it with another tool as well, just to make sure that it truly cannot identify the disk. In forensics, we always verify.</p>\n<p>[Solution:]</p>\n<p>So, what we need to do now, is change those two bytes back to 55 AA and save the disk (for example Lab7-SOL.001).</p>\n<p>We cannot edit images in FTK Imager, but you can in Hex Workshop. Open the image in Hex Workshop</p>\n<p>First things first, Hex Workshop's display is defaulted to sizing the hexadecimal view to the window size. Resize the Hexadecimal view to show 16 byte rows, by showing columns 0-F (remember we are in hexadecimal!). You can do this by dragging the line between the hex and ASCII data left or right. See image below.</p>\n<p>Verify that you see hex DF DF at the end of the sector.</p>\n<p>You now should be looking at row offeset 1FO and column E. Click the first bit \"D\" at offset 0x1E, and then type 55AA (no spaces). If you do this you should see 55 AA in red, ending the row.</p>\n<p><img alt=\"Fixed Partitions\" src=\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/partitionfixed.jpg\" /></p>\n<p>Using \"Save As\" save this image file as a new image file. Remeber we never want to alter the original evidence, and you want to document the steps you took to do this and why,</p>\n<p>Now If what you did was done properly, you should be able to open the newly created disk image in FTK Imager and it should interpret the partitions correctly.</p>\n<p><img alt=\"Partitions Now Found\" src=\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/ftkpartitions.jpg\" /></p>\n<p>So that's it, we managed to recover the disk that Mr.X corrupted by modifying those two bytes on his disk. This proves that digital forensics tools won't be able to identify the disk without those two bytes found at the end of the sector. By the way, I recommend you check it using FTK Imager for example too, just to make sure that it truly cannot identify the disk.</p>\n<p>This type of corruption is not very common, but if you do encouter problems always check for the 55 AA, then begin checking for errors in the partition table it self. You can always compare them to the Volume Boot Record and see if they match up.</p>\n<h3>Task 2: Analyzing The MBR</h3>\n<p>Now since we managed to recover the corrupted disk, I believe answering the questions below won't be a big problem. Let us move on and answer each one of them.</p>\n<ol>\n<li>How many partitions are in this disk?\nWe found that the disk has four partitions, and we have proof that could be seen in the figure below:</li>\n</ol>\n<p><img alt=\"Partition displayed\" src=\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/ftkpartitions.jpg\" /></p>\n<p>Which partition if any, is marked as bootable?\nNow to answer this question, we need to check the Boot Code in the MBR entries of the disk. Let's use FTK Imager to review them. You need to check for the active partition to see if any are marked as bootable. Refering to highlighted partitions in this images MBR.</p>\n<p><img alt=\"MBR\" src=\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/partitions_badsector.jpg\" /></p>\n<p>The boot code is indicated in the first byte in byte of each partition. An active partition will have the status set to 0x80. A non-bootable partition will be set to 0x00</p>\n<p>If we review each partition, refering to the above figure, you will find that all of them are non-bootable partitions.</p>\n<p>So, the answer is there are no bootable partitions on this disk.</p>\n<p>Let us move on to the final question.</p>\n<ol>\n<li>For each partition found, identify the following:\n  a. Starting Sector (or First LBA)\n  b. No. of sectors in partition\n  c. Partition Size\n  d. Partition Type </li>\n</ol>\n<p>You can answer these questions using different techniques, let's use FTK Imager.</p>\n<p>From the first question, we found that there are four partitions, so let us interpret each one of them. Click on the first partition. Then in the details pane, click on properties. The first partition and its details are below:</p>\n<p><img alt=\"Partition 1 Properties\" src=\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/partition1properties.jpg\" /></p>\n<p>Our answers would be:\n  a. Starting Sector (or First LBA) = 128\n  b. No. of sectors in partition = 1024000\n  c. Partition Size = (No. of sectors) X (size of sector)</p>\n<p><pre class=\"codehilite\"><code>= 1024000 X 512\n= 524288000 Bytes\n= 500 Megabytes</code></pre>\nIs this equal to you expected result? Compare you calculated size to your expected size in the Evidence Tree. Now this is forensics!</p>\n<p>d. Partition Type = 07 which means we have an NTFS partition.</p>\n<p><img alt=\"NTFS identified\" src=\"https://assets.ine.com/content/labs/cybersecurity-labs/jason/LAB-3527/FTKntfsPart.jpg\" /></p>\n<p><a href=\"http://www.tldp.org/HOWTO/Partition-Mass-Storage-Definitions-Naming-HOWTO/x190.html\">Click here for more information on partitions</a></p>\n<p>Using the previous directions as a guide, can you determine the remaining partitions?</p>\n<p>Our answers would be:\n  a. Starting Sector (or First LBA) = 1024128\n  b. No. of sectors in partition = 512000\n  c. Partition Size = (No. of sectors) X (size of sector)</p>\n<pre class=\"codehilite\"><code>= 512000 X 512\n= 262144000 Bytes\n= 250 Megabytes</code></pre>\n\n<p>d. Partition Type = 0B which means we have a FAT32 partition.</p>\n<p>On to the third partition, we find the details below:</p>\n<p>Our answers would be:\n  a. Starting Sector (or First LBA) = 1536128\n  b. No. of sectors in partition = 512000\n  c. Partition Size = (No. of sectors) X (size of sector)</p>\n<pre class=\"codehilite\"><code>= 512000 X 512\n= 262144000 Bytes\n= 250 Megabytes</code></pre>\n\n<p>d. Partition Type = 0C which also refers to a partition with FAT32.</p>\n<p>And finally, the fourth partition we find the details below:</p>\n<p>Our answers would be:\n  a. Starting Sector (or First LBA) = 2048128\n  b. No. of sectors in partition = 2142208\n  c. Partition Size = (No. of sectors) X (size of sector)</p>\n<pre class=\"codehilite\"><code>= 2142208 X 512\n= 1096810496 Bytes\n= 1046 Megabytes</code></pre>\n\n<p>d. Partition Type = 05 which means we have an Extended partition type holding a NTFS file system.</p>\n<p>To better summarize our results and add them to a report in the future, I'm going to create a table and add the final results to the table below:</p>\n<table>\n<thead>\n<tr>\n<th>Partition</th>\n<th>Starting Sector (First LBA)</th>\n<th>Number of Sectors</th>\n<th>Partition Size in Bytes</th>\n<th>Partition Type</th>\n</tr>\n</thead>\n<tbody>\n<tr>\n<td>First</td>\n<td>128</td>\n<td>102400</td>\n<td>524288000</td>\n<td>NTFS</td>\n</tr>\n<tr>\n<td>Second</td>\n<td>1024128</td>\n<td>512000</td>\n<td>262144000</td>\n<td>FAT32</td>\n</tr>\n<tr>\n<td>Third</td>\n<td>1536128</td>\n<td>512000</td>\n<td>262144000</td>\n<td>FAT32</td>\n</tr>\n<tr>\n<td>Fourth</td>\n<td>2048128</td>\n<td>2142208</td>\n<td>1096810496</td>\n<td>NTFS</td>\n</tr>\n</tbody>\n</table>\n<p>[DIY]: I highly recommend you verify these results we obtained using another tool.</p>\n<p>(Here is a great reference to bookmark from our friends at Invoke-ir.com)[http://www.invoke-ir.com/2015/05/ontheforensictrail-part2.html]</p>\n<p>Partition Type Information:</p>\n<p><a href=\"http://www.tldp.org/HOWTO/Partition-Mass-Storage-Definitions-Naming-HOWTO/x190.html\">http://www.tldp.org/HOWTO/Partition-Mass-Storage-Definitions-Naming-HOWTO/x190.html</a></p>\n<p><a href=\"https://en.wikipedia.org/wiki/Partition_type\">https://en.wikipedia.org/wiki/Partition_type</a></p>",
    "flags": [],
    "min_points_to_pass": null,
    "access_type": "default",
    "user_status": "unstarted",
    "user_lab_status": null,
    "user_status_modified": null,
    "user_flags": [],
    "global_running_session": null
}