After a very brief search using Google, Sourceforge, and Freshmeat I’ve come to the rather under educationed conclusion that there are no freeware file signature lists out there. Pity that. So, with a particular need in mind, I have begun alittle experiment.
The thing I want to find in this first part of the experiment, the key offsets on a floppy disk. For those “in the know”, please correct me if I have these all wrong.
I took a floppy disk from my stack and reformatted it. I then grabbed an image of the disk using:
dd if=\\\\.\a: of=floppy.dd bs=512 conv=noerror
The image created can be found here. The md5 of the zip file is 69f4d2d4f12f73c083e62271806e2d04.
The MD5 of the image itself is 82b34b5225782e9938d5858ba9d8f7cf.
Now then, I took the image and loaded into my trusty hex editor. I noticed the following offsets on the disk that MAY be particular areas of interest for forensic work. Again, if I’m wrong lemme know.
00000000:00000202 looks like header info for the drive to include FStype
inside this offset at 000001a1 we have what seems to be the default error for NTLoader?
Which leaves us with 000001f2-00000202 which makes little sense to me except what appears to be a common refrain throughout my analysis “f0 ff ff”. Perhaps it’s the end of the diskette header?
From 00000203 – 000013ff we have nulls.
At 00001400-00001402 we have another “f0 ff ff”. End of the FAT?
From 00001403 – 000025ff we have nulls.
At 00002600-00002619 appears to be the label of diskette. Now, when I formatted the drive I called it “for-exp1”. That’s 8 characters for the math impaired. Maximum was 11 but the space provided is a bit more than than that…what’s the extra space for?
From 0000261a – 000041ff we have nulls.
From 00004200 – 00167dff uninterrupted is f6 repeated.
From 00167e00 – 00167fff we have nulls.
So that’s it for a forensic look at a recently formatted floppy drive. Next up we’ll put some stuff on the same floppy and have another look at it.