Tuesday, October 9, 2012

OMFW 2012: Reconstructing the MBR and MFT from Memory

This presentation introduced two new Volatility plugins: mbrparser and mftparser which will be released in Volatility 2.3.  These plugins empower the investigator to explore possible MBR infections or in the case of mftparser, files that are in use on the system.   There are real examples in the slides which you can view for yourself.  You can find the mbrparser plugin in the Volatility 2.3 branch and the mftparser will appear there sometime soon. Feel free to send feedback.

Author/presenter: Jamie "Gleeda" Levy (@gleeda)
Direct link: Reconstructing the MBR and MFT from Memory


  1. Hi Jamie, fairly new to this space, I am trying to understand your slides. In the methodology described on slide 23, similar to the prior methodology, we would scan for potential MBRs by scanning for '\x55\xaa' but in order to discard possible positives, we check the partition table. What are we checking in the partition table and how does what we find reduce false positives?

  2. Hi Jeremy,

    Sorry for the late reply. In order to have a valid partition table we must have one valid, non-empty bootable partition. So we check that the table meets that criteria. You will probably still have a few false positives and could probably cut this even further by looking at other items like sector size, starting and ending sectors or that other partitions are either of a valid type or empty. However, for now the check we have seems to be good enough.

    I just updated our documentation to reflect this a little bit better:


  3. Hi, the slides are not available anymore at GoogleDocs, any chance there is a mirror or the link can be fixed?

    Thank you!

  4. I'm not seeing the same issue here for some reason. I've uploaded the slides to here anyway, however: