Thread: Forensic information requested.
View Single Post
  #2  
Old February 26th 06, 03:43 PM posted to microsoft.public.win98.disks.general
Bill Blanton
external usenet poster
  
Posts: n/a
Default Forensic information requested.

"KA1oxd" wrote in message ...
Does anyone here have the following two pieces of information that I am
looking for? The first piece is dealing with the more indepth shutdown
process and exactly when does the regeistry get closed during that process
and the second peice is dealing with information in depth about the sectors
and clusters use. I was told that the physical sector 96 displays the hex
charature 07 when the system is not properly shut down. I would like to know
if that is true and at what was terminated before that is written to the
disk.

That's not true about "sector 96", and I don't really understand the other
question.


Microsoft Extensible Firmware Initiative FAT32 File System Specification
(fatgen103.doc)
http://www.microsoft.com/hwdev/downl.../FATGEN103.doc


quote
What are the two reserved clusters at the start of the FAT for? The first
reserved cluster, FAT[0], contains the BPB_Media byte value in its low 8 bits,
and all other bits are set to 1. For example, if the BPB_Media value is 0xF8,
for FAT12 FAT[0] = 0x0FF8, for FAT16 FAT[0] = 0xFFF8, and for FAT32 FAT[0] =
0x0FFFFFF8. The second reserved cluster, FAT[1], is set by FORMAT to the EOC
mark. On FAT12 volumes, it is not used and is simply always contains an EOC
mark. For FAT16 and FAT32, the file system driver may use the high two bits of
the FAT[1] entry for dirty volume flags (all other bits, are always left set
to 1). Note that the bit location is different for FAT16 and FAT32, because
they are the high 2 bits of the entry.

For FAT16:
ClnShutBitMask = 0x8000;
HrdErrBitMask = 0x4000;

For FAT32:
ClnShutBitMask = 0x08000000;
HrdErrBitMask = 0x04000000;

Bit ClnShutBitMask - If bit is 1, volume is "clean".

If bit is 0, volume is "dirty". This indicates that
the file system driver did not Dismount the volume
properly the last time it had the volume mounted. It
would be a good idea to run a Chkdsk/Scandisk disk
repair utility on it, because it may be damaged.

Bit HrdErrBitMask - If this bit is 1, no disk read/write errors were encountered.

If this bit is 0, the file system driver encountered a
disk I/O error on the Volume the last time it was
mounted, which is an indicator that some sectors may
have gone bad on the volume. It would be a good idea
to run a Chkdsk/Scandisk disk repair utility that does
surface analysis on it to look for new bad sectors.

/quote