Inforensics

 Disk Partition Analysis (DOS Partition) In this post we will briefly go through the process of understanding the disk partition scheme and how we can parse information out of it.  The first thing we need is partition table. W e can obtain partition table (MBR information) from the starting 512 byte section of the disk or we can search for sector ending with 0x55AA. We can obtain the partition table sector through multiple process, however the following process is demonstrated using 'dd'. Let's have a look inside - This section contain three important information- bootstrap code area (assembly boot code), partition table and boot signature. The MBR layout is shown in table below. Partition table value lie between 0x1BE to 0x1FD containing entries of multiple partitions (16-Bytes each) as shown below: From the above details we can analyse our partition, lets consider entries for 2 primary partitions- 8004 0104 83FE C2FF 0008 0000 0070 E109 00FE C2FF 05FE C2FF FE7F...

 Endianness is the order of storing sequence of bytes of data in computer memory. We will showcase this with the help of following example - The first command 'xxd test.txt ' takes the content of file and displays in Hex format. Since the byte range are ASCII strings, which is not affected by the endianness ordering of the system. However, the second command 'hexdump test.txt' takes the file (as stored) and displays its contents in Hex format following system supported Endian order. The byte sequence are displayed here in Little Endian order, hence the order of each byte need to be switched for understanding. It can be concluded that "Hexdump" displays the data based on the supported endian order of the system, e.g. Intel x86 and AMD64/x86-64 processors. Interestingly, there is a difference in the Hex byte display order for the output of both the commands.  It will be more appealing to analyze the output of Hexdump in the system supporting Big Endian order....