mbrChunker

Release Notes: The hex byte searching functionality was flawed and had to be rewritten. Additionally, it could not handle files larger than 2-3gb in size but now can handle files of any size given the new redesign. A -b flag was added to let the user customize how big the buffer will be when searching for your hex string. All three functions, dd2vmdk, MBR analysis, and hex byte string searching, work fine under any Linux OS.

Release Notes: A new feature has been added that allows the end-user to search for hex byte patterns within your forensics images (or any binary file). It allows for you to enter any number of bytes for your hex pattern. It returns via stdout all locations within your binary file where that byte hex pattern was found and its corresponding byte offset location. Specifically, the idea is to incorporate this functionality against large dd imaged VMFS partitions that would grab all master boot record sectors and analyze them for the user.

Release Notes: When doing the analysis of the partitions, it now writes to the output file that was given to it on the command line. In version 0.2, this was not the case. For example, when you run the command ./mbrChunker -i <path to image> -a <analysis output file location>, the data is now saved to that output file.

Release Notes: mbrChunker can now parse each of the primary partition entries, analyze each of the 16 byte entries for information such as boot indicator, starting head, starting sector, starting cylinder, system ID, ending head, ending sector, ending cylinder, and total sectors. It also validates the partition types of each of the partition entries. As of now, the tool can convert DD images into a flat VMDK file and analyze each of the partition entries found within the master boot record (physical sector 0) of a hard drive.