WEBVTT

0:00:09.800000 --> 0:00:14.120000
 Okay, so let's talk a little bit about
 the first sector and some of the

0:00:14.120000 --> 0:00:16.860000
 hexadecimal code in
 this first sector.

0:00:16.860000 --> 0:00:19.360000
 So let's look at this.

0:00:19.360000 --> 0:00:24.940000
 What is this? The first sector is really
 sector zero and it is going to

0:00:24.940000 --> 0:00:30.980000
 be where the BIOS looks to
 get its boot instructions.

0:00:30.980000 --> 0:00:35.360000
 So the first thing it does actually
 is it looks down towards the end of

0:00:35.360000 --> 0:00:40.500000
 the sector and it looks
 for five, five AA.

0:00:40.500000 --> 0:00:47.560000
 And what that means down there is that
 this is just a bootable disk and

0:00:47.560000 --> 0:00:50.180000
 it's got some type
 of boot code in it.

0:00:50.180000 --> 0:00:55.560000
 If it doesn't have the five, five AA
 magic number at the end, then it's

0:00:55.560000 --> 0:00:57.600000
 not going to boot your system up.

0:00:57.600000 --> 0:00:59.360000
 That has to be there.

0:00:59.360000 --> 0:01:07.900000
 Okay. Up above here, starting here at
 offset zero and all the way down,

0:01:07.900000 --> 0:01:16.160000
 all the way down to about here is
 essentially just our boot code.

0:01:16.160000 --> 0:01:21.300000
 Its instructions that are getting loaded
 into memory and then that's what

0:01:21.300000 --> 0:01:25.800000
 your BIOS is going to use to boot up
 the system and hand control over

0:01:25.800000 --> 0:01:28.420000
 to your boot partitions
 and things like that.

0:01:28.420000 --> 0:01:30.140000
 And then there's a little bit
 of boot code right here.

0:01:30.140000 --> 0:01:32.140000
 This represents boot code too.

0:01:32.140000 --> 0:01:38.920000
 Okay. There's a space in between these
 two boot codes and it starts about

0:01:38.920000 --> 0:01:44.940000
 here and it goes for seven bytes.

0:01:44.940000 --> 0:01:50.580000
 These seven bytes represent the serial
 number or disk signature for the

0:01:50.580000 --> 0:01:55.840000
 physical disk. And what you're going
 to find is that that is actually

0:01:55.840000 --> 0:01:58.840000
 going to be reflected
 in your registry.

0:01:58.840000 --> 0:02:03.040000
 That's going to be in your H key local
 machine system, amount of devices.

0:02:03.040000 --> 0:02:07.300000
 So that's how you can actually track
 physical disks that are loaded into

0:02:07.300000 --> 0:02:09.000000
 the system and the operating
 system is seen.

0:02:09.000000 --> 0:02:15.520000
 There should be a record of all of these
 in that amount of devices key,

0:02:15.520000 --> 0:02:18.160000
 whether they're actually
 attached or not.

0:02:18.160000 --> 0:02:23.580000
 So that that's very, very beneficial
 to a forensic investigation.

0:02:23.580000 --> 0:02:28.800000
 This is not there's no conversions
 or like that represented here.

0:02:28.800000 --> 0:02:31.040000
 The serial number is as we see it.


0:02:31.040000 --> 0:02:35.000000
 So in this particular case, if I were
 to go look at the amount of devices

0:02:35.000000 --> 0:02:41.480000
 registry key, I should see a drive signature
 or disk signature for that

0:02:41.480000 --> 0:02:48.020000
 says to see 4, 4, 6, 3,
 B, E, 3, 9, B, F, 3, 9.

0:02:48.020000 --> 0:02:53.900000
 All right. So what's the
 next section in here?

0:02:53.900000 --> 0:03:00.240000
 What we have is in the next 32 bytes
 starting right here, starting at

0:03:00.240000 --> 0:03:06.720000
 what is that? That's going
 to be offset one be.

0:03:06.720000 --> 0:03:16.120000
 And for the next 32 bytes, all the way
 to the 5, 5, a magic number, that

0:03:16.120000 --> 0:03:19.860000
 is going to be our
 master boot record.

0:03:19.860000 --> 0:03:24.160000
 So this master boot record, as we've
 discussed in the slides, it contains

0:03:24.160000 --> 0:03:29.980000
 all of the information the BIOS needs
 to understand what kind of disks

0:03:29.980000 --> 0:03:34.240000
 is in there and what kind of partition
 is in there and then where the

0:03:34.240000 --> 0:03:38.560000
 partitions start and stop and whether
 they're the active bootable ones.

0:03:38.560000 --> 0:03:43.940000
 So if we were to examine this one, I
 see one row of bytes and then I see

0:03:43.940000 --> 0:03:45.560000
 a bunch of zeros.

0:03:45.560000 --> 0:03:52.220000
 What that tells me is that there is
 one partition on the system and the

0:03:52.220000 --> 0:03:56.300000
 partition is going to
 go from here to here.

0:03:56.300000 --> 0:04:03.980000
 So it starts at 80, hex 180
 and then it ends at hex 01.

0:04:03.980000 --> 0:04:08.300000
 And notice how I said
 hex 80 and hex 01.

0:04:08.300000 --> 0:04:13.480000
 We are using the hexadecimal numbering
 scheme when we're in here.

0:04:13.480000 --> 0:04:18.800000
 So it's a little different than
 just saying decimal, right?

0:04:18.800000 --> 0:04:20.100000
 We're going to do a quick
 conversion here.

0:04:20.100000 --> 0:04:27.500000
 So hexadecimal 80 is going to convert
 over here to an integer value of

0:04:27.500000 --> 0:04:32.500000
 128. So just that's your
 basic conversions there.

0:04:32.500000 --> 0:04:40.460000
 In our particular issue here though,
 we either have our first record is

0:04:40.460000 --> 0:04:44.560000
 our bootable device record.

0:04:44.560000 --> 0:04:50.480000
 Okay. Active disk is either
 80 or it's zero.

0:04:50.480000 --> 0:04:52.400000
 It shouldn't be anything else.

0:04:52.400000 --> 0:04:57.660000
 80 means that it's a partition
 that is active for booting.

0:04:57.660000 --> 0:05:02.380000
 Zero means that there's a partition there,
 but it's not a boot partition.

0:05:02.380000 --> 0:05:06.780000
 And in our case, it's zero because there
 are no further partitions beyond

0:05:06.780000 --> 0:05:10.820000
 the first partition.

0:05:10.820000 --> 0:05:13.960000
 After the 80, this tells
 us the starting head.

0:05:13.960000 --> 0:05:17.360000
 This is a cylinder
 head sector system.

0:05:17.360000 --> 0:05:22.780000
 So we're looking at
 starting head one.

0:05:22.780000 --> 0:05:25.780000
 Then we move down to the next one.


0:05:25.780000 --> 0:05:28.560000
 And this is our starting sector.

0:05:28.560000 --> 0:05:31.200000
 So we're starting at sector one.

0:05:31.200000 --> 0:05:34.600000
 Remember, we are in sector
 zero right now.

0:05:34.600000 --> 0:05:41.060000
 So what this tells me is that in sector
 one, the BIOS should be able to

0:05:41.060000 --> 0:05:44.840000
 go there and then find additional
 things to do.

0:05:44.840000 --> 0:05:48.200000
 And that's where the first
 drive is going to be seen.

0:05:48.200000 --> 0:05:52.140000
 If you're using Windows, that's typically
 going to be the C drive.

0:05:52.140000 --> 0:05:58.240000
 If you're using something like Linux,
 depending on the type of drive it

0:05:58.240000 --> 0:06:05.220000
 is, it's going to be your
 HDA1 or your SDD, SDA1.

0:06:05.220000 --> 0:06:11.040000
 All right. The next one is going
 to be starting cylinder.

0:06:11.040000 --> 0:06:16.840000
 Cylinder zero. Now this very next one
 here, this one's really important.

0:06:16.840000 --> 0:06:22.260000
 That is going to be our
 partition identifier.

0:06:22.260000 --> 0:06:27.700000
 There are a bunch of different
 codes for different partitions.

0:06:27.700000 --> 0:06:32.660000
 For example, a zero one is a
 FAT12, a zero four is FAT16.

0:06:32.660000 --> 0:06:35.280000
 A zero five would be an
 extended partition.

0:06:35.280000 --> 0:06:37.940000
 We don't see too many of those.

0:06:37.940000 --> 0:06:44.140000
 A zero seven is going to
 be an NTFS partition.

0:06:44.140000 --> 0:06:46.780000
 So that's something we should
 really know about.

0:06:46.780000 --> 0:06:52.620000
 And then if it's a zero B or a zero
 C, that's going to indicate a FAT

0:06:52.620000 --> 0:06:57.480000
 partition and we're going to be really
 looking for the zero C's, the FAT

0:06:57.480000 --> 0:07:01.380000
 partition, we're a logical drive
 using BIOS extensions.

0:07:01.380000 --> 0:07:06.940000
 That's going to be what most of our
 FAT32 partitions are going to be.

0:07:06.940000 --> 0:07:08.520000
 FAT partitions are going
 to go away though.

0:07:08.520000 --> 0:07:11.860000
 We don't see too many of those, but
 we like to look at them first.

0:07:11.860000 --> 0:07:18.240000
 042 is a dynamic disk volume and something
 you're going to be seeing now,

0:07:18.240000 --> 0:07:22.460000
 especially with the release of Windows
 10, is all Windows 10 devices.

0:07:22.460000 --> 0:07:26.880000
 Where it says zero seven here,
 it's actually going to say EE.

0:07:26.880000 --> 0:07:31.780000
 And EE indicates that we have a GPT partition,
 grid partition table partition,

0:07:31.780000 --> 0:07:35.760000
 and it's a completely different partitioning
 system than master boot record.

0:07:35.760000 --> 0:07:39.120000
 And we will talk about that
 in different courses.

0:07:39.120000 --> 0:07:45.700000
 So we now know that we have an NTFS
 file system that needs to be loaded

0:07:45.700000 --> 0:07:54.160000
 up. So we have our starting head
 and we have our starting sector.

0:07:54.160000 --> 0:07:58.620000
 Now we have this FE right here.

0:07:58.620000 --> 0:08:04.160000
 FE is going to be our ending head.


0:08:04.160000 --> 0:08:07.360000
 And then if I look at this, if I look
 at my conversion over here, what

0:08:07.360000 --> 0:08:11.360000
 it means is in this UN8 conversion and
 data inspector, it means that our

0:08:11.360000 --> 0:08:18.840000
 ending head is going to be 254.

0:08:18.840000 --> 0:08:26.140000
 Then our ending sector is
 going to be the next one.

0:08:26.140000 --> 0:08:32.440000
 And then ending sector is FF, which
 up here it translates to 255.

0:08:32.440000 --> 0:08:35.460000
 So we're seeing some numbers
 that should jive, right?

0:08:35.460000 --> 0:08:36.940000
 254 is a good number.

0:08:36.940000 --> 0:08:43.340000
 255 is a good number in our 32-bit
 multiplication and division.

0:08:43.340000 --> 0:08:49.880000
 Okay. After our ending sector,
 we have our ending cylinder.

0:08:49.880000 --> 0:08:55.660000
 And here again, our ending
 cylinder is 255.

0:08:55.660000 --> 0:09:04.100000
 Now the next four bytes are going to
 be the relative amount of sectors

0:09:04.100000 --> 0:09:10.300000
 that are in this system
 on this partition.

0:09:10.300000 --> 0:09:15.760000
 Okay. And that goes from column
 six to column nine for our bits.

0:09:15.760000 --> 0:09:20.900000
 So this is where our hexagonal conversions
 are going to be important.

0:09:20.900000 --> 0:09:28.380000
 And this again, it jives because what
 this translates to up here is 63.

0:09:28.380000 --> 0:09:38.160000
 63 in every pre-vista system is going to
 be the starting sector for everything.

0:09:38.160000 --> 0:09:45.240000
 Okay. It changes in vista, but we are
 looking at a Windows XP image here,

0:09:45.240000 --> 0:09:48.000000
 I believe, just for demonstration
 purposes.

0:09:48.000000 --> 0:09:53.420000
 So we know that we now know that
 the data starts in sector 63.

0:09:53.420000 --> 0:10:06.100000
 The next four represent the total amount
 of sectors that are in this partition.

0:10:06.100000 --> 0:10:10.960000
 So what that comes out to is 217.

0:10:10.960000 --> 0:10:16.240000
 So for us, for forensics, what we can
 do is we can pull up our calculator.

0:10:16.240000 --> 0:10:29.040000
 All right. And we can do
 a quick 217 minus 63.

0:10:29.040000 --> 0:10:33.300000
 And that puts us at 154 sectors
 in this partition.

0:10:33.300000 --> 0:10:36.040000
 Why is this important?

0:10:36.040000 --> 0:10:41.000000
 Understanding the drive geometry and
 how drives are made and how drives

0:10:41.000000 --> 0:10:44.740000
 are calculated will sometimes
 come and play in court.

0:10:44.740000 --> 0:10:50.340000
 You could be asked to demonstrate your
 knowledge on this, especially if

0:10:50.340000 --> 0:10:57.880000
 it comes down to maybe an opposing
 expert trying to peck a little bit

0:10:57.880000 --> 0:10:59.920000
 at your knowledge and reputation.

0:10:59.920000 --> 0:11:03.360000
 This is a place that they
 could try to get you on.

0:11:03.360000 --> 0:11:08.140000
 Don't see it quite as much
 as we used to though.

0:11:08.140000 --> 0:11:13.240000
 Okay. Some other things you can do
 with this is that you can use these

0:11:13.240000 --> 0:11:18.660000
 calculations and these numbers
 to repair some of these fields.

0:11:18.660000 --> 0:11:20.880000
 And you can redo the
 calculations there.

0:11:20.880000 --> 0:11:22.760000
 So, and it works.

0:11:22.760000 --> 0:11:25.260000
 You could go into a hex editor
 and you can modify.

0:11:25.260000 --> 0:11:29.120000
 If I modify one of these, it wouldn't,
 it would not work anymore.

0:11:29.120000 --> 0:11:32.780000
 But if I were to, if they were corrupted
 and I could get in there and

0:11:32.780000 --> 0:11:35.340000
 I could give them the right values,
 all of a sudden that partition would

0:11:35.340000 --> 0:11:37.280000
 appear back again.

0:11:37.280000 --> 0:11:43.780000
 All right. Well, that's all we have
 on the Master Boot Record Partition

0:11:43.780000 --> 0:11:45.400000
 Tables. Thank you very much.