Hey! Thank you for the video, i wanna see more stuff on file carving, GPT analysis and extended partition analysis. I am actually just getting starting into forensics and found your video really helpful to understand the structure of DOS|MBR partitioned drives, furthermore i have downloaded the raw disk images you mentioned and have examined the second partition entry metadata. 1- first byte set to 0x00 indicating this as non-bootable partition 2- partition type value to 0x07, indicating NTFS partition(FS type is NTFS) 3- starting LBA address -> 0x32800 = 206,848 -> starting in-file offset -> 0x6500000 4-size of the partition in sectors 0x27CD000 -> size of the partition in bytes 21367881728 =~21GB
Hi All, I hope you enjoy my videos. Could I ask you to support my channel by sharing my videos to help it grow? Don't forget to like and subscribe. Also, if you'd like me to create a new video on any topic related to cyber security and digital forensics, just let me know.
definitely i will share it on my socials, also i am threat researcher and started sharing some Malware analysis and reversing content,if you're into give it a look !
0X 00 02 03 00 is stored as little endian It should be read byte by byte from right to left and then you can convert it to 00 03 02 00 0000 0000 0000 0011 0000 0010 0000 0000 2^17+2^16+2^9 = 512+65536+131072 = 197120
This was helpful but I want to know how I could convert big endian to sector because I am learning to analyse partition tables with Linux Caine command line
See this example to find out sector number 0X 00 02 03 00 is stored as little endian It should be read byte by byte from right to left and then you can convert it to 00 03 02 00 0000 0000 0000 0011 0000 0010 0000 0000 2^17+2^16+2^9 = 512+65536+131072 = 197120 sectors
Hey! Thank you for the video, i wanna see more stuff on file carving, GPT analysis and extended partition analysis. I am actually just getting starting into forensics and found your video really helpful to understand the structure of DOS|MBR partitioned drives, furthermore i have downloaded the raw disk images you mentioned and have examined the second partition entry metadata.
1- first byte set to 0x00 indicating this as non-bootable partition
2- partition type value to 0x07, indicating NTFS partition(FS type is NTFS)
3- starting LBA address -> 0x32800 = 206,848 -> starting in-file offset -> 0x6500000
4-size of the partition in sectors 0x27CD000 -> size of the partition in bytes 21367881728 =~21GB
Thank you for your comment. I will create another video about GPT. Please consider sharing my video to support the growth of my channel.
I will wait for the others for the answer.
Hi All, I hope you enjoy my videos. Could I ask you to support my channel by sharing my videos to help it grow? Don't forget to like and subscribe. Also, if you'd like me to create a new video on any topic related to cyber security and digital forensics, just let me know.
definitely i will share it on my socials, also i am threat researcher and started sharing some Malware analysis and reversing content,if you're into give it a look !
I am confused, 0x0030200 to decimal is 197120, why at 8:49 is 204800? Can tell me why? thank you!!!
It’s great that you found this. You are correct; the value should be 197120, not 204800. Here’s why:
0X 00 02 03 00 is stored as little endian
It should be read byte by byte from right to left and then you can convert it to 00 03 02 00
0000 0000 0000 0011 0000 0010 0000 0000
2^17+2^16+2^9 = 512+65536+131072 = 197120
@@CyDig Thanks for answer. very helpful video!
Really Helpful!Thanku❤
Thanks
Extremely good content
Thanks
good explanation. I prefer the Active Disk Editor for MBR analysis, because of the templates and color segmentation.
I will download it and try using Active Disk Editor. Please consider sharing my video to help grow my channel.
thank you ,this helped me a lot
This was helpful but I want to know how I could convert big endian to sector because I am learning to analyse partition tables with Linux Caine command line
See this example to find out sector number 0X 00 02 03 00 is stored as little endian
It should be read byte by byte from right to left and then you can convert it to 00 03 02 00
0000 0000 0000 0011 0000 0010 0000 0000
2^17+2^16+2^9 = 512+65536+131072 = 197120 sectors
ntfs