tag:blogger.com,1999:blog-1746946614390371171.post8070021301857241787..comments2023-05-09T02:31:13.939-07:00Comments on Computer Forensics, Malware Analysis & Digital Investigations: Simple Forensic Puzzle #1Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-1746946614390371171.post-44238103341017440152011-09-04T12:29:52.534-07:002011-09-04T12:29:52.534-07:00Hey Lance,
Thanks,
Can you create some for FTK a...Hey Lance,<br /><br />Thanks,<br /><br />Can you create some for FTK as wellAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-88296793803345852002011-03-25T20:11:02.438-07:002011-03-25T20:11:02.438-07:00I see a discrepancy in the volume file system and ...I see a discrepancy in the volume file system and the partition ID as shown in the MBR.<br /><br />C volume file system is FAT16 but MBR shows 0c (FAT32x)<br />D volume file system is FAT32 but MBR shows 07 (NTFS)<br />E volume file system is NTFS but MBR shows 06 (BIGDOS)<br /><br /><br /><br />AAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-69262441004265647882011-03-20T00:04:34.931-07:002011-03-20T00:04:34.931-07:00Hello Lance,
I'm just downloaded E01. I'm...Hello Lance,<br /><br />I'm just downloaded E01. I'm gonna startAnonymoushttps://www.blogger.com/profile/03323415258198425665noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-51760244649549239742011-03-19T07:00:19.019-07:002011-03-19T07:00:19.019-07:00@anon
Yes, you are on the right track ;)@anon<br /><br />Yes, you are on the right track ;)Lance Muellerhttps://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-45409813133565694292011-03-16T21:25:20.231-07:002011-03-16T21:25:20.231-07:00Not sure if I am on the right track, but here are ...Not sure if I am on the right track, but here are a couple of things:<br /><br />MBR partition table shows only 07 and one 06, but there are actually one 07 and two FAT 16's. <br /><br />Relative position for 07 and 06 is the same: 1024000.<br /><br />Size for 06 is zero.<br /><br />Sector 63 does not have volume boot record.<br /><br />Volume C and D appear to be almost identical, except the FAT for the D volume is about four times the size of C's FAT.<br /><br />Lastly, volume E's $Bad Cluster is about 524MB, seems too large.<br /><br />ArtAnonymousnoreply@blogger.com