GetSectors

Description

GetSectors is designed to collect low-level disk data, i.e. data not related to the file system. As such, it can typically be used to collect the boot sector, the boot code, the partition tables, slack space on the disk (typically the available sectors after the last partition), etc.

Output

GetSectors generates the requested dump(s) in an archive or a folder. The tool also generates a CSV file, GetSectors.csv, which contains the metadata about the dump(s) with the following columns.

Value

Description

ComputerName

The computer name

Disk

The disk from which the dump is extracted

DumpDescription

The type of dump (MBR, GPT primary header,…)

DumpName

The dump file name in output

DumpOffset

The starting offset of the dumped region (on the disk)

DumpSize

The size of the dump in bytes

ReadingTime

Time to read the dumped region

DiskInterfaceUsed

Actual device used to read the dump region

DiskSectorSize

The disk sector size in bytes

The dump name inside the output directory/archive is generated by the concatenation of

  • the disk name (where “\\” is replaced by “_”),

  • “_off_” followed by the offset of the data collected (in bytes),

  • “_len_” followed by the length of the data collected (in bytes),

  • a description of the dump:

    Value

    Description

    EFI-partition

    Full UEFI partition

    MBR

    Master Boot Record

    VBR-of-<Partition Description>

    Volume Boot Record

    VBR-backup-of-<Partition Description>

    Volume Boot Record backup

    IPL-of-<Partition Description>

    Initial Program Loader

    GPT-primary-header

    Primary GPT header

    Disk-slack-space

    Slack space located after the last partition on disk

    Custom-sample

    Custom portion of disk

Dump file extension is .bin.

As an example, __._PhysicalDrive0_off_0_len_512_MBR.bin is the name of a MBR dump.

An output for logging purposes can be used with the syntax found in Configuring Console Output.

Usage

A typical syntax to use GetSectors looks like the following:

DFIR-Orc.exe GetSectors /LegacyBootCode /SlackSpace /Out=BootCode.7z

DFIR-Orc.exe GetSectors /UefiFull /Out=UefiFull.7z

Note

In order to specify something for the tool to dump, at least one option amongst /LegacyBootCode, /UefiFull, /SlackSpace or /Custom must be specified.

/Disk=<Device> Option

optional=yes, default=Windows boot disk

Specifies the name of the disk device to read sectors from. A disk image file can also be used.

/Disk=\\.\PhysicalDrive0
/Disk=D:\MyImage.dd

Access path examples are also proposed in Configuring Locations but some are not allowed or do not make sense.

/LegacyBootCode Option

optional=yes, default=N/A

Predefined logic to dump MBR, VBRs and IPLs (cf. https://en.wikipedia.org/wiki/Booting).

/UefiFull Option

optional=yes, default=Off

Dumps the entire EFI partition.

/UefiFullMaxSize Option

optional=yes, default=400M

Used in combination of the /UefiFull option to specify a maximum size to dump. A larger partition will be truncated.

/SlackSpace Option

optional=yes, default=Off

Predefined logic to dump sectors samples outside any partition.

/SlackSpaceDumpSize=<Size> Option

optional=yes, default=5MB

Maximum size, in bytes, of the collected slackspace (disk unallocated space starting after the end of the last partition). This option is only used when the /SlackSpace option is active.

/Custom Option

optional=yes, default=Off

Dumps a specific disk extent. Must be followed with /CustomOffset and/or /CustomSize.

/CustomOffset=<Size> Option

optional=yes, default=0

Specifies the specific disk extent offset in bytes.

/CustomSize=<Size> Option

optional=yes, default=512

Specifies the specific disk extent size in bytes.

/Out=<Path> Option

optional=yes, default=.\GetSectors.7z

Specifies the name of the result container. The container can be a folder or an archive (7z, zip, cab). For more details on this option, please refer to the output documentation.

/NotLowInterface Option

optional=yes, default=False

The tool does not try to obtain a low interface on the disk device using the setupAPI functions. Indeed, GetSectors attempts to use the lowest user mode accessible means to open the specified disk (usually, the bus interface); /NotLowInterface disables this behavior.