WEBVTT

0:00:02.860000 --> 0:00:08.340000
 Hello, and welcome to this video lesson
 on Basic Disk Analysis using WinHex.

0:00:08.340000 --> 0:00:12.400000
 By now you may be asking, am I really
 going to have to do all of this

0:00:12.400000 --> 0:00:15.140000
 manually? Is this
 really difficult?

0:00:15.140000 --> 0:00:16.800000
 Are there any tools
 that can help me?

0:00:16.800000 --> 0:00:19.400000
 Are there any tools
 you suggest I use?

0:00:19.400000 --> 0:00:23.000000
 The answers to those questions are,
 you can use WinHex to help with all

0:00:23.000000 --> 0:00:28.000000
 of that. You can use it to analyze
 and parse everything.

0:00:28.000000 --> 0:00:31.560000
 WinHex has predefined templates, which
 can only be found in View Templates

0:00:31.560000 --> 0:00:35.840000
 Manager. Here you can see the templates
 that the WinHex developers predefined,

0:00:35.840000 --> 0:00:38.000000
 and can simply use and apply them.


0:00:38.000000 --> 0:00:43.340000
 For example, let's go to Starting Sector,
 which is the MBR, and go to

0:00:43.340000 --> 0:00:47.160000
 View, Templates Manager, and
 apply the Master Boot record.

0:00:47.160000 --> 0:00:54.040000
 It will give us this result.

0:00:54.040000 --> 0:00:57.740000
 Additionally, if you right-click on Start
 Sector, and then select Template,

0:00:57.740000 --> 0:01:00.700000
 WinHex will load a suitable template
 for the status structure, or for

0:01:00.700000 --> 0:01:03.480000
 this structure, which is the MBR.

0:01:03.480000 --> 0:01:08.820000
 Here, we can see we have an offset of
 zero, the Master Bootstrap Loader,

0:01:08.820000 --> 0:01:10.420000
 and other details.

0:01:10.420000 --> 0:01:13.620000
 These are all for 446 bytes.

0:01:13.620000 --> 0:01:16.820000
 Below, we see the start of the
 partition table entries.

0:01:16.820000 --> 0:01:20.000000
 Here we have partition table entry
 number 1, which is active.

0:01:20.000000 --> 0:01:25.660000
 8 are active. We also have the Starting
 Head, Starting Sector, and Cylinder,

0:01:25.660000 --> 0:01:30.520000
 as well as Partition Type 07, which
 is a DFS, and WinHex says that it's

0:01:30.520000 --> 0:01:35.400000
 an NTFS. One thing to be aware of as
 WinHex was opened with Administrator

0:01:35.400000 --> 0:01:38.560000
 Permissions is that the
 value can be modified.

0:01:38.560000 --> 0:01:41.920000
 Be extra careful, especially when you're
 dealing with WinHex on a live

0:01:41.920000 --> 0:01:47.540000
 disk. Moving on, we have here
 130 for the end head.

0:01:47.540000 --> 0:01:52.960000
 18 for the end sector, 47
 for the ending cylinder.

0:01:52.960000 --> 0:01:58.260000
 If we go to Notepad,
 we can see the LBA.

0:01:58.260000 --> 0:02:01.960000
 And here's the sector preceding
 Partition Number 1.

0:02:01.960000 --> 0:02:09.060000
 We have 2048. And this one here
 is the sectors in the partition.

0:02:09.060000 --> 0:02:11.840000
 They're actually the same.

0:02:11.840000 --> 0:02:15.660000
 We can also see all the details here
 for partition table number 2 with

0:02:15.660000 --> 0:02:19.180000
 all of its details, and same for partition
 entry number 3 with all of

0:02:19.180000 --> 0:02:24.880000
 its details. Let's pause what we're
 doing manually and go ahead and use

0:02:24.880000 --> 0:02:29.400000
 some navigation tools that are
 not available in WinHex.

0:02:29.400000 --> 0:02:32.380000
 First, I'm going to write down and
 take note of a couple of things for

0:02:32.380000 --> 0:02:34.020000
 Partition Number 1.

0:02:34.020000 --> 0:02:39.620000
 We have 716, which is the size,
 and it starts at 2048.

0:02:39.620000 --> 0:02:44.440000
 Since Partition 1 is located 2048 sectors
 ahead, we can use this button

0:02:44.440000 --> 0:02:46.160000
 to get to that sector.

0:02:46.160000 --> 0:02:49.520000
 Let's enter 2048 and click OK.

0:02:49.520000 --> 0:02:57.800000
 As you can see, we arrived at the
 first partition, which is at 2048.

0:02:57.800000 --> 0:03:06.000000
 And if you notice here,
 it's also 2048.

0:03:06.000000 --> 0:03:08.900000
 So now if we add the number of sectors
 that are in the partition from

0:03:08.900000 --> 0:03:13.620000
 this location, which was 716,800, we're
 supposed to reach Partition Number

0:03:13.620000 --> 0:03:36.400000
 2. Now, from our current position, we
 need to move this number of sectors.

0:03:36.400000 --> 0:03:38.700000
 Let's go ahead and click OK.

0:03:38.700000 --> 0:03:41.600000
 So, we have reached the
 second partition.

0:03:41.600000 --> 0:03:49.840000
 If we go back a bit, we know that the
 second partition had this number

0:03:49.840000 --> 0:03:54.120000
 of sectors. Let's go ahead and take
 it, and we'll add this one, which

0:03:54.120000 --> 0:03:56.180000
 is already converted.

0:03:56.180000 --> 0:03:59.860000
 From our current position, if we add
 this, it will take us to Partition

0:03:59.860000 --> 0:04:04.480000
 Number 3. And it took
 us exactly there.

0:04:04.480000 --> 0:04:08.040000
 We want to make sure that all of this
 is correct, so let's go back, and

0:04:08.040000 --> 0:04:11.420000
 we can either go to the sector, or
 we can do all of this from here.

0:04:11.420000 --> 0:04:20.660000
 We need to go to the partition.

0:04:20.660000 --> 0:04:25.540000
 We have 20, 48 converted to this amount,
 so we need to go to this partition,

0:04:25.540000 --> 0:04:27.640000
 this sector from the beginning.

0:04:27.640000 --> 0:04:33.700000
 Again, this takes us to the first
 partition, which is this one.

0:04:33.700000 --> 0:04:37.320000
 Let's highlight this one, just the
 position, just so we can make sure

0:04:37.320000 --> 0:04:39.800000
 that this is truly
 Partition Number 1.

0:04:39.800000 --> 0:04:49.300000
 Let's add a position and
 give it a description.

0:04:49.300000 --> 0:04:51.120000
 Let's also give it a color.

0:04:51.120000 --> 0:04:53.140000
 I'm going to select red.

0:04:53.140000 --> 0:04:57.900000
 Now, let's go back
 to the beginning.

0:04:57.900000 --> 0:05:06.200000
 As you may recall, Partition
 1 is 7168.00 in sectors.

0:05:06.200000 --> 0:05:14.760000
 Let me go show you how to do it.

0:05:14.760000 --> 0:05:20.280000
 Now, if we take the value for the number
 of sectors, which is 716,800,

0:05:20.280000 --> 0:05:25.420000
 input that into the calculator and
 convert it to hex, we get AF-000.

0:05:25.420000 --> 0:05:27.540000
 Let's go ahead and
 copy this value.

0:05:27.540000 --> 0:05:32.160000
 Now, let's go back to Winhex and
 click on the Go to Offset button.

0:05:32.160000 --> 0:05:35.640000
 Now, let's select the current position
 option and paste in our converted

0:05:35.640000 --> 0:05:39.720000
 value, which means we need to
 move this amount of sectors.

0:05:39.720000 --> 0:05:42.680000
 Let's go ahead and click
 the OK button.

0:05:42.680000 --> 0:05:45.920000
 And this is taken us directly
 to Partition Number 2.

0:05:45.920000 --> 0:06:04.660000
 Let's also add a position
 to Partition Number 2.

0:06:04.660000 --> 0:06:07.180000
 So now we have Partition Number 2.


0:06:07.180000 --> 0:06:14.360000
 Now that we know Partition Number 2
 is this number of sectors long, let

0:06:14.360000 --> 0:06:17.080000
 me quickly show you how
 to convert it to hex.

0:06:17.080000 --> 0:06:29.700000
 So, if we take that one and convert
 it to hex, we get this value.

0:06:29.700000 --> 0:06:34.020000
 Also, from this current position, we
 want to move this number of sectors.

0:06:34.020000 --> 0:06:38.680000
 This takes us exactly to Partition
 3, which is where the cursor is.

0:06:38.680000 --> 0:06:46.680000
 If you made a mistake, you can
 always hit the Back button.

0:06:46.680000 --> 0:06:51.020000
 Say you want to go to this exact value,
 go to this sector, current position,

0:06:51.020000 --> 0:06:54.540000
 and it took us to Partition
 Number 3.

0:06:54.540000 --> 0:07:12.100000
 Let's mark this one and add
 3 as the position number.

0:07:12.100000 --> 0:07:16.680000
 Now we have Partition Number 3.

0:07:16.680000 --> 0:07:22.460000
 If you notice, we can use these buttons
 to move the offset, and you can

0:07:22.460000 --> 0:07:26.340000
 even move by bytes, but make
 sure the amount is exact.

0:07:26.340000 --> 0:07:32.780000
 We also have the option to move by
 words, double words, and sectors.

0:07:32.780000 --> 0:07:36.560000
 One thing to notice is that if you go
 to the Start Sector, which is the

0:07:36.560000 --> 0:07:41.240000
 beginning and go to Partition 1, we are
 supposed to see the red position.

0:07:41.240000 --> 0:07:46.540000
 If we go to Partition Number 2, we are
 supposed to see the green partition,

0:07:46.540000 --> 0:07:49.960000
 and if we go to Partition Number 3,
 we should see the blue partition,

0:07:49.960000 --> 0:07:54.900000
 which proves that our navigation
 and parsing is correct.

0:07:54.900000 --> 0:07:59.600000
 In this video, we applied a template
 and used WinHacks to get details.

0:07:59.600000 --> 0:08:03.140000
 We'll revisit the partition later when
 we'll apply another template, so

0:08:03.140000 --> 0:08:06.420000
 we can get the volume boot record
 for the NTFS file system.

0:08:06.420000 --> 0:08:11.540000
 This will be in one of Module 5's
 videos, but that's it for now.

0:08:11.540000 --> 0:08:14.480000
 I'm glad I got to show you more new features
 about WinHacks and demonstrate

0:08:14.480000 --> 0:08:18.740000
 how useful it can be when you're
 going to analyze the disk.

0:08:18.740000 --> 0:08:23.960000
 This concludes our video lesson on
 Basic Disk Analysis using WinHacks.

0:08:23.960000 --> 0:08:25.840000
 Thanks for watching, and
 see you next time.