“who ’ s bootin ’? dissecting the master boot record who ’ s bootin ’? dissecting the master boot record hal denton / / have you ever been given an encrypted hard drive to perform forensic analysis on? what could go wrong? probably the first thought rolling through your mind is wo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1542.003Bootkit
45%
“end of the structure. for an example, you can reference jpeg ’ s file structure to see the header ( soi ) and footer ( eoi ). now that you have a general understanding of the mbr data structures, let ’ s break down the partition information even more so we know how to manipulate …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1542.003Bootkit
40%
“understanding of each. to validate our mbr by math, the total byte size should be 512 bytes ( 446 + 16 + 16 + 16 + 16 + 2 = 512 bytes ). mbr – boot code summary boot code holds instructions to tell the computer how to process the partition tables and locate the operating system. …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1542.003Bootkit
39%
“to decimal, to identify starting sector and size of the partition. yep, just like in school — let ’ s pull out those ti ’ s, your os calculator, or online converter ( * cough * cyberchef * cough * ) to make the conversion. below is a screenshot of the windows calculator ( changed…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1542.003Bootkit
36%
“image to my synthetic mbr file. i proceeded to add the new image to the forensics tool and — badda bing badda boom — received my challenge and response prompt to decrypt the drive. tools partition identification / validation : - the sleuth kit ( tsk ) utility called mmls can iden…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Hal Denton // Have you ever been given an encrypted hard drive to perform forensic analysis on? What could go wrong? Probably the first thought rolling through your mind is […]
