You can find the data source properties in the information pane. Using the information from the boot sector, the program makes a summary about the data storage. The BPB analysis on our NTFS partition gave the following results: To add or exclude a data type from the raw data inspector go to Configuration, press Configure in the string for the raw data inspector and choose the necessary data type. For example, we can find the value of the 2-byte field from position 0x0B – number of bytes per sector – in the string Word (2 bytes) – 0x0200. To have the data field displayed in the inspector we set the cursor at the field start and look for the corresponding field length in the inspector table. Values of the hexadecimal data fields are displayed in the raw data inspector. You can also convert hexadecimal view into decimal by pressing on the top of the string address pane. In this line you can check the start, length and total size of the selected area. The information about the selected area is also reflected in the contextual line. To do this we press Select rangeĪnd mark the area entering the positions from 0x0B to 0x53 We go to the BPB start directly from the list of marked positions.įor easier observing, we highlight the BPB area. In total, the BPB takes the data area from offset 0x0B to offset 0x53 (73 bytes). The BPB begins with offset 0x0B followed by the extended BPB from offset 0x24. Generally, the BPB has the following structure: These blocks contain essential information about the storage architecture and point to MFT including records about all files in the NTFS system. The BPB and the extended BPB are the most crucial part of the boot sector in respect to data recovery from an NTFS storage. Clear button will wipe the list from the file. To load the saved list into the program press Open. To use the structure for other partition analyses, we save the list into a file pressing Save. The program makes a list of all marked positions. To do this we select Mark position from the tool barĪnd save start positions of the data fields with our comments. We mark data blocks of the boot sector in the program. The structure of the NTFS boot sector is as follows: To open a partition from the disk already available in the program, select Partition from this storage from the drop-down list. To open a virtual disk choose File from the drop-down list and then open it As a disk image file. To do this we press Open, then physical disk and select the NTFS partition from the storages list in the dialog window.
FIND PARTITION HEX FIEND SOFTWARE
In addition, we give some tips as to software use.įirst, we open an NTFS partition in CI Hex Viewer. We analyze the boot sector structure with the purpose to find the MFT for further data recovery.
In this article we give an example of the raw data analysis with the software for hexadecimal viewing and editing – CI Hex Viewer. Thus, the analysis task is passed entirely into hands of the user. However, automatic software mechanisms can be insufficient in some complicated data recovery and forensics cases. Data search and analysis on a storage are normally conducted with special software. Analysis of the raw data is an indispensable part of the process of data recovery and forensic investigation.
0 kommentar(er)
