Friday, April 6, 2007

Sector Inspector

While browsing around today I came across a *not so* highly advertised tool from Microsoft. It was a late addition to the Server 2003 resource kit called Sector Inspector. Before today, I had never heard of this tool and I've never seen in mentioned.

What the heck does it do?
Well, Microsoft explains it like this: SecInspect.exe is a command-line diagnostics tool that allows administrators to view the contents of master boot records, boot sectors, and IA64 GUID partition tables. Additional features include creating hex dumps of binary files and backup/restore of sector ranges. YES Linux does and has had this capability for...years.

Sounds kind of cool eh?
Let's see what this thing can do.

c:\Program Files\Windows Resource Kits\Tools>secinspect.exe -n

Sector Inspector Copyright Microsoft Corporation 2003
18241 Cylinders
255 Heads
63 Sectors Per Track
512 BytesPerSector
12 MediaType

Master Boot Record
| B | FS TYPE | START | END | | |
| F | (hex) | C H S| C H S| RELATIVE | TOTAL |
| * | 07 | 0 1 1|1023 254 63| 63| 163846872|
| | 00 | 0 0 0| 0 0 0| 0| 0|
| | 00 | 0 0 0| 0 0 0| 0| 0|
| | 00 | 0 0 0| 0 0 0| 0| 0|
Disk Signature 0xe0efe0ef

Partition #1 NTFS backup boot sector at LBN 163846934.

Primary Partition 1
NTFS BIOS Parameter Block Information

BytesPerSector : 512
Sectors Per Cluster : 8
ReservedSectors : 0
Fats : 0
RootEntries : 0
Small Sectors : 0 ( 0 MB )
Media Type : 248 ( 0xf8 )
SectorsPerFat : 0
SectorsPerTrack : 63
Heads : 255
Hidden Sectors : 63
Large Sectors : 0 ( 0 MB )

ClustersPerFRS : 246
Clust/IndxAllocBuf : 1
NumberSectors : 163846871 ( 80003.4 MB )
MftStartLcn : 786432
Mft2StartLcn : 10240429
SerialNumber : 6388384532698611716
Checksum : 0 (0x0)


Just that simple command spits out a bunch of useful information about the drives in your system(I am only showing you one of my drives).

The two pieces of text in bold are important for two different sets of people. The first - the disk signature is used to map a Physical drive to a logical drive letter. In the MBR it lives at offset 0x1b8 and is 4 bytes long, and it can also be found in the registry under the MountedDevices key. This is useful information for at least one major reason; Corroboration.

Here's a little scenario:
You seize a system and note that there is only one drive present in the system. You acquire an image of the disk and you note that the disk had two partitions (C: D:) and during analysis you look in HKLM\SYSTEM\MountedDevices. You see a DosDevice labeled \DosDevices\E:(assume that E: is actually on a different physical volume for this) but you know that you didn't find another disk in the system at the time. Looking at the first 4 bytes of the value for \DosDevices\E: you see the Disk Signature that looks like this:
0000 EF E0 EF E0

Now you know you're looking for a drive with a disk signature of EFE0EFE0. When you go back to the scene and search some more you find a disk buried in a drawer. After you image this disk, you run secinpsect -n and find that the disk signature matches the missing Volume and DosDevice Information in the registry. I know there are other tools that do this..but secinspect is free and we all like free.

The second bit of bolded text is useful for people wanting to restore corrupted or missing boot sectors.

Note that the tool also shows you the logical cluster number of where the MFT starts.

One other useful feature of the tool is you can convert 64Bit hex file times to UTC format. Take the Vista Backup Time I talked about previously and used Dcode to convert the timestamp.
That value 704ac9ebcc6dc701, was a 64 bit timestamp. Using secinspect I can convert the time via the commandline:
C:\Program Files\Windows Resource Kits\Tools\secinspect.exe -time 01c76dccebc94a70

Sector Inspector Copyright Microsoft Corporation 2003

UTC TIME 03/24/2007 04:28:49.0994

That's pretty sweet.


Keydet89 said...

Great post! Thanks for mentioning it, and posting! I can see a number of uses for this tool, in addition to the one you pointed out!



Dave said...

I know it's a while since this was posted originally and I hate to resurrect old posts, but I didn't know how I should raise this question.

I've downloaded and installed this tool and wonder if the relevant files can be used on a CD or USB thumb drive in order to interrogate another hard drive. I don't have access to another computer for 10 days or so, otherwise I'd check it myself. I guess that a hard drive or USB memory stick could be attached to the PC on which SecInspect has been installed but the former isn't so easy if SecInspect is on a laptop.