Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Quick Forensic Challenge SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quick Forensic Challenge
We see 8 sectors per cluster at offset 0x0D, but 1 sector per track at 0x18. This means each cluster takes up 8 tracks!? Also, there's only 1 head at offset 0x1A. While someone, somewhere might have created a drive with one head, I've never seen one.
Trevor

5 Posts
Oh. Sorry it looks like Carry already said that.
Trevor

5 Posts
Oh. Sorry it looks like Carry already said that.
Trevor

5 Posts
The checksum is 0.
Trevor

5 Posts
The hidden sectors being 0 is suspicious.
Trevor

5 Posts
manichattan, please contact me directly or through the handler contact page. Thanks!
Chris

140 Posts
Tidserv is loaded in the MBR and encrypted partition is added at the end of the disk
Rodger

5 Posts
1st partition type is 02 XENIX root (old unix MS)
Rodger

5 Posts
0x18h 1 sector per track
0x1Ah 1 head
0x1Ch 8 hidden sectors
0x28h 0xFFFDFF0000000000h Total sectors

As I wrote before, there is only one sector per track. So there are 18446180024244502528 tracks.
Eight of them are hidden. As Trevor pointed out, each cluster takes up 8 tracks, so there are 2305772503030562816 clusters.

In theory there can be a total of 18446744073709551615 cluster. However the maximum total of clusters for windows XP Professional can only be 4294967295 by implementation.
I do not know if this has changed since Windows Vista. So this seems to be wrong.
Rodger
2 Posts

Sign Up for Free or Log In to start participating in the conversation!