TGZ of DD dumps of compromised #badBIOS obsd system with variant disk sections

http://goo.gl/G0Mz4w

the naming syntax is:
d[block-size or 512b if no block size][skip amount in blocks]

(if there is no block size it meand dd default 512b)

those are all dds from same drive, on the affected system running in ramdisk

Note diff results based on skip, and that the drive reurns all nulls except MBR if you start reading from beginning

The interesting ones are the ones aroung skip=104216 bs=512b
especially the first ones that returned ~64k... the disk returned all nulls with reads beginning earlier in the disk than that.

x2 means the second time I poked at that region(it changed though somehow these dumps don't seem to reflect that, odd)

(sorry don't recall why I called the e# dumps that, it turned out to be insignificant)

dtgz md5 44ec7b2259210dd6e7075b98768e8daa

files less than 1M thats all dd returned, large ones i truncated
The drive was a Seagate Momentus 7200.2 500Gb traditional disk.

On those DD's infected BIOS complained that the drive was not bootable. (had to fdisk update the boot sector and rebuild the partition table which returned all nulls from within the infected boot system to be able to boot from CD and extract the images)

The reason I'm doing this from within the infected system is that external analysis of infected drives on non-infected systems previously seemed to yeld nothing interesting on the drive or the boot sector. Though I haven't checked starting reads on funny sections of the disk yet with an extracted drive. I will check this drive with funny reads from an infected system reading on an uninfected system next to compare.

cheers,
--dr
Shared publiclyView activity