![]() Extract the MBR from the disk or from the image you just took.Refer to CHS if you wonder how to get these values. Special thanks to Gene Cumm from the bochs-developpers mailing list who gave me the tip to specify the geometry to dd : $ dd if=input of=output bs=2064384 count=507 For example, I got some geometry errors with a flash disk when using Bochs at step 11. However, if you have an exotic disk, it may be much trickier. In general, it is that simple : $ dd if= of=disk.img bs=65536 conv=noerrorĬheck the disk geometry using : $ fdisk -luc disk.img IDA Pro (6.0) with the IDA Python plug-in (1.4.3).With static analysis, you may see if an obvious corruption happened, but you will need to debug to learn more. Analyzing the MBR is sometimes required during a forensic process, if you suspect a malicious activity that is not detected on-line.
0 Comments
Leave a Reply. |