Wednesday, 24 April 2013

Sigfind

The tool “Sigfind” performs a search for a defined hexadecimal value within a defined image or file. We can use this in analyzing digital images to find partitions. There are many reasons for doing this, one would be in finding corrupted partitions.

The tool will find and output the sector where the match was located.

The way it is used is:

sigfind -b 512 -l -o 510 Image.dd

Now, all Windows partitions are the same in many ways. We can find partitions and the MBR as the Hex value 0x55AA always comes in the final 2-bytes of the MBR. This can be corrupted, but it is a good place to start looking.

This is:

  • The last two bytes of a Microsoft Windows partition are 0X55 and 0XAA
  • The last two bytes of a Partition Table partition are 0X55 and 0XAA

Using this information, it is possible to recover formatted drives.

Knowing that MBR is located at the start of the drive and that it is a fixed size in non-dynamic drives, we can thus skip the first 510-bytes. Hence run:

sigfind -b 512 -o 510 55AA Image.dd

The output of this command is listed below. I will write more on this another time, but knowing where the partition starts allows us to know where we can start to carve partitions (using the offsets and DD).

$sigfind -b 512 -o 510 55AA Image.dd

Block size: 512 Offset: 510 Signature: 55AA

Block: 0 (-)

Block: 63 (+63) MBR (MS Boot Sectors end in 55AA)

Block: 323836 (+323773)

Block: 820512 (+496676)

Block: 820575 (+63) One of the Partitions

Block: 1026144 (+205569) (Can you say which one?)

Block: 1026207 (+63)

error reading bytes 1048320

No comments: