Examining the Windows Boot Disks
with Norton
Disk Editor and DEBUG
Page Three

Copyright©2003 by Daniel B. Sedory
[Do NOT reproduce without permission from the author.]

Examples in Learning How Disk
Boot Records, FATs and Directories Function


Exercise 2: Editing MAC Times in a Directory, Creating Image Files and checking the MD5 sum of a whole diskette

Editing the Directory Entries

Now we'll change the data in the Root Directory, so press the ALT+O keys (or click on the "Object" word) and select "Directory" from the menu. Depending upon which OS Startup Disk you have, you are going to change both the date and time of the EBD.SYS and MSDOS.SYS files to: 5-11-98 and 7:01:00 pm (for Windows 98), 4-23-99 and 10:22:00 pm (for Windows 98 SE), or 6-8-00 and 5:00:00 pm (for Windows ME). I'll mention the Windows XP Disk later. Do not change the date/time of any other files: the original Win 98 Disk's EXTRACT.EXE file should remain as 11-24-98. Here's the Windows 98 SE Disk just before the change:


Figure 8.

"Now my diskette should have the same bytes as anyone else with my OS version, right?" Wrong! I said doing this would only get us closer to what we're seeking! What you may not have noticed (unless you already checked out all of DISKEDIT's menu selections) is that there's also a display for the Last Accessed Date and both the Creation Date and Time of each file! Together with the Modified Date and Time that you changed above (for MSDOS.SYS and EBD.SYS), these are known collectively as a file's MAC (Modified, Last Accessed and Created) Times. In the Root Directory, after pressing the ALT + "." keys (the symbol ">" is on that same key for US keyboards) or just clicking the mouse on the "More >" menu, you'll see something similar to this (but with all the dates and times when you created your own Startup Disk!):


Figure 9.

OK. Take it easy... Or, maybe the shock of having to change all these dates and times hasn't even hit you yet... But don't worry! I'm going to show you a very easy way to change all of them at once in DISKEDIT.

[[ Somewhere in here make room for: " If you use Windows XP, consider this your first assignment! After running the UNERASE program on your diskette, you can use WINMEDSK.md5 (see next section) and the hkSFV program to verify that all the files you recovered are from a Windows ME Startup Disk. " ] ]

First, while you're viewing the disk's Directory (it won't matter if you've switched back to the Last Modified Date/Time or are still viewing it with the Last Accessed Date and Creation Date/Time), you need to mark all the files in the Directory (in both Sectors 19 and 20). You can do this by either keeping your main mouse button depressed and moving the cursor down across all the filenames or by using the Arrow keys until all the files have a black background. But in order to use the keyboard for this, you must first place DISKEDIT into Mark mode (something I really dislike about this program!) The quickest way to do that is to press both the CTRL and "B" keys at once; otherwise, you must use the "Edit" menu and select "Mark" (using a mouse driver could make things a lot easier for some of you).

Next open DISKEDIT's "Tools" menu and select "Set Date/Time . . ." from it. That will open a window containing 5 checkboxes: The first two boxes are for setting the Last Modified Time and Date (only the words Time and Date appear here). The next two boxes are for setting the "Creation Time" (either to the nearest second or in hundreds of Milliseconds) and "Creation Date" and the fifth box is for setting the "Last Access Date" [Note: All of the dates and times for each of these settings will always be the present date and time when you open the window and will remain as such until you change them.]

Make sure that you have checked only the last three boxes in the window (for those without a mouse, use the TAB key to change focus and the SPACEBAR to check or uncheck a box). Here's what my screen looked like just before changing the Creation Dates/Times and the Last Accessed Dates on a Windows 98 SE Startup Disk to match the Last Modified Dates and Times of 4-23-99 and exactly 10:22:00 pm (you can see in this picture that it was done at 7:45 am on May 17, 2003):


Figure 10.

If you have one of the original Windows 98 Disks, then you'll be setting these to 5-11-98 at exactly 7:01:00 pm And for those with a Win ME Startup Disk, you will be setting the Creation and Last Access dates and times to: 6-8-00 at exactly 5:00:00 pm.  Remember, to make sure that each digit of the Creation Time's Milliseconds setting is a zero, or you won't get the correct MD5 sum for this exercise !

After changing and writing the MAC Times to Sectors 19 and 20 of your Startup Disk, make sure to return and lock the diskette's Write-protect tab into its Read-only position!

Now you'll need to make a binary "image file" of your Startup Disk so you can compute the MD5 checksum of the whole diskette. If you had a Linux OS available, you could do this with the 'dd' command, or you could use a Windows imaging program (such as WinImage). But since we're learning about DISKEDIT here, we're going to use it instead. The steps are actually quite easy: 1) Select the item "Physical Sector . . ." from the "Object" menu (or press the ALT+"P" keys) and make sure the range is set for all 2,880 sectors like this:


Figure 11.

2) Press the ALT+"W" keys (or select the "Write Object To . . ." item from the "Tools" menu) and press the "OK" button if you see "2,880 sectors" will be written and the item "to a File . . ." is selected:


Figure 12.

3) In the next window that pops up, you must enter a drive letter, folder and/or file name that DISKEDIT will be able to write as a file of 1440 kbytes on some type of FAT partition (FAT32 most likely). I saved my Windows 98 SE Startup Disk as "W98SESD.IMG" and suggest that you use the extension ".IMG" (or .IMA) for saving any floppy disk image file.

Finally, you can boot up your Windows OS again before locating the saved image file and then computing its MD5 sum (perhaps with the Windows program hkSFV).

If you're a regular reader of these pages, I'd like you to send me the answer you got for your version of Windows! I'll definitely reply if you do so and let you know if it's correct.


The Starman.

Last Update: May 30, 2003.

Back to Page One

The Starman's Realm Index Page

 

 

 

 

Hosted by uCoz