Forensic look at Floppy Disk pt2

Posted by on May 1, 2005

I added a single word file to the floppy disk I formatted in the entry here. Got the image with:

dd if=\\\\.\a: of=floppy.dd3 bs=512 conv=noerror

The image can be found here. MD5 of the zip is d0845f6ece41f8927c889be0323130b5.
MD5 for the image itself is 7ca9ccd2d465bdae4eadae8e46727946.

Loaded the image into my hex editor and found the following offsets of interest:

00000202
Same as before, giving more credence to this area being a header of some sort.

00000203-0000022f
This is new. Since we’ve only added one file we have to assume this is the FAT area and the record for the word file we added.

03 40 00 05 60 00 07 80 00 09 a0
00 0b c0 00 0d e0 00 0f 00 01 11
20 01 13 40 01 15 60 01 17 80 01
19 a0 01 1b c0 01 1d e0 01 1f f0
ff

00000230-000013ff
All nulls. This area has shrunk up since we added the word file. Perhaps it’s safe to say the FAT area of a floppy disk ranges from offset 00000203 to 000013ff?

00001400-0000142f
In the first analysis we only had f0 ff ff beginning at 00001400. After adding the Word we still have the f0 ff ff but following that we seem to have a repeat of the content beginning at 00000203-0000022f.

f0 ff ff 03 40 00 05 60 00 07 80 00 09 a0
00 0b c0 00 0d e0 00 0f 00 01 11 20 01 13
40 01 15 60 01 17 80 01 19 a0 01 1b c0 01
1d e0 01 1f f0 ff

The remaining space (0000142f-000025ff) is, again, all nulls.

00002600-00002619
Here we have the same thing we had before:

46 4f 52 2d 45 58 50 31 20 20 20 08 00
00 00 00 00 00 00 00 00 00 09 6d 9e 32

but now we have some more beginning at 0000261a:

00 00 00 00 00 00 e5 48 4b 31 30 20 20 20 54
4d 50 20 10 8b 08 24 a1 32 a1 32 00 00 09 24
a1 32 00 00 00 00 00 00 41 47 00 65 00 61 00
72 00 20 00 0f 00 bd 4c 00 69 00 73 00 74 00
2e 00 64 00 00 00 6f 00 63 00 47 45 41 52 4c
49 7e 31 44 4f 43 20 00 b5 a5 65 a1 32 a1 32
00 00 2f 51 2d 31 02 00 d4 3b

This contians the filename of the file we added. I suspect there may be an offset in this mess that points to the location on the disk of the content itself. We’ll see.

0000267e-000041ff are nulls.

00004200-00007dd3 is the contents of the file we added.(you can be nosey if ya like but you’ll only find the uniform and gear standards for the 7th Kentucky, US Infantry Living History group.)

00007dd4-00007dff are nulls.

00007e00-00167dff are f6 repeated.

00167e00-00167fff are nulls.

More thoughts on this once I get some sleep and the benadryl takes effect…

Last modified on May 1, 2005

Categories: InfoSec
Comments Off on Forensic look at Floppy Disk pt2

« | Home | »

Comments are closed.

%d bloggers like this: