Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bytes Offset for $BadClus of NTFS partition


  • Please log in to reply
3 replies to this topic

#1 ant0ine

ant0ine

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Yuba City, CA
  • Local time:12:09 PM

Posted 14 January 2012 - 08:57 PM

I wasn't really sure where to post this, but I think the people within this subforum will be able to answer most intelligently. Anyways, I have a question about the NTFS filestyem. I need to know what the byte offsets are for the SYSTEM FILES, especially $BadClus. Here's what I know about NTFS:

Taken from a Google Groups Usenet Post.

There are 512 bytes per sector, the MBR exists on the 1st sector,
sectors 2 - 4 are 0-filled (future use?), and the first partition is
on the 5th sector. We're going to assume the 1st partition is NTFS.
From now on, the "1st sector" will be considered the "1st sector of
the NTFS partition i.e. 5th sector". Sequential sectors logically
follow in a similar manner.

First off, there are several "SYSTEM FILES" of NTFS: http://pastebin.com/QNUiNU2r

The 1st sector begins with $Boot. $Boot is 16 sectors long. The 1st
sector contains the VBR (Volume Boot Record), sectors 2 - 15 contains
the IPL (Initial Program Loader). That is to say that $Boot extends to
byte offset 8192 (0x2000, 020000).

Boot Sector: http://pastebin.com/wutMpPh3
BPB & Extended BPB: http://pastebin.com/emWWCxuV



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 21 January 2012 - 04:13 PM

According to Wikipedia, Microsoft has a tool to view these system files: nfi.exe-"NTFS File Sector Information Utility"
http://support.microsoft.com/kb/253066/

Maybe this tool can help you locate these files.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 ant0ine

ant0ine
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Yuba City, CA
  • Local time:12:09 PM

Posted 22 January 2012 - 02:31 AM

Thank you! That's perfect! It's shown in detail on this article. Unfortunately, I run a Linux box; so I can't use that command at the moment. But when I get on a Windows box; I'll definitely check it out. "ntfsinfo -i 8 [device]", where [device] is the device path, seemed to give some info about it too. Now, if there's a tool such as this, then $badclus and other metadata files must be inconsistent from drive to drive. There will certainly be more research on my end.

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 PM

Posted 22 January 2012 - 04:48 AM

Since you are running Linux, maybe you can mount the NTFS partition (maybe read-only) and open the file directly.

When I try to open c:\$BadClus in read binary mode on my Windows system, I get a permission denied error. Haven't looked further to get past this error, but maybe it behaves differently on Linux.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users