← HomepageQueztaz/Simulating Bad Blocks NTFS Filesystems

Simulating Bad Blocks NTFS Filesystems

Simulating Bad Blocks on NTFS Filesystems

Preamble

Directions for simulating a file system corruption error on an NTFS drive on a Windows host system. This is useful when you are testing tools that require this error exist.

Simulating Corruption

https://github.com/jamersonpro/ntfsmarkbad

Creating the test environment

Create the folder for our demo environment

mkdir BadBlocktest
cd BadBlockTest

Download the NtfsMarkBad tool

Invoke-WebRequest -Uri "https://github.com/jamersonpro/ntfsmarkbad/releases/download/v0.0.2/NtfsMarkBad.exe" -Outfile "NtfsMarkBad.exe" -UseBasicParsing

Create a virtual hard disk file

New-VHD -Path "BadBlocks.vhd" -Fixed -SizeBytes 100MB
Mount-VHD .\BadBlocks.vhd

Setting up the NTFS Volume

Creating a filesystem

Open DiskMGMT.msc. The first prompt will be to format the drive. Select GPT and format the device using NTFS with the default settings.

Now use NtfsMarkbad.exe with the drive letter of the mounted VHD. Copy the "First Volume Sector" value for later.

./NtfsMarkbad.exe G:

Output:
NTFSMARKBAD 0.0.2 x64     https://github.com/jamersonpro/ntfsmarkbad

Scanning volume...
First volume sector: 128 **MAKE NOTE OF THIS**
Last volume sector: 16511
Bytes per sector: 512
Sectors per cluster: 8
Total cluster count: 2047
Completed.

These commands will create a file slightly larger than 1MB in size. Files less than this will get stored directly in the MFT Table instead of on sectors of the FS

fsutil.exe file createnew G:\file.txt 1048576
fsutil.exe file queryextents G:\file.txt

Output: VCN: 0x0        Clusters: 0x100      LCN: 0x5c0

The NtfsMarkBad.exe software requires a range of sectors to mark as bad. Using the data from the queryextents command, copy this template to mark your drive as bad. The sections you need to replace with your own values are commented

  $SectorsPerCluster=8
  $FirstVolumeSector=1000
  $VCN=[uint32]"0x0"        # Change this
  $CLUSTERS=[uint32]"0x100" # Change this
  $LCN=[uint32]"0x5c0"      # Change this

  $LCN = ($VCN + $LCN)
  $StartingSector = (($LCN * $SectorsPerCluster) + $FirstVolumeSector)
  $EndingSector = ((($LCN + $CLUSTERS -1) * $SectorsPerCluster) + $FirstVolumeSector)

  ./NtfsMarkBad.exe G: $StartingSector $EndingSector

Output Example

PS F:\Programs\Forensics>   ./NtfsMarkBad.exe D: $StartingSector $EndingSector
NTFSMARKBAD 0.0.2 x64     https://github.com/jamersonpro/ntfsmarkbad

Scanning volume...
First volume sector: 128
Last volume sector: 200831
Bytes per sector: 512
Sectors per cluster: 8
Total cluster count: 25087
The number of clusters skipped since they already marked bad: 0
The number of clusters skipped since they are in use: 1360
The number of selected clusters: 108
Adding 108 clusters to the Bad Clusters File...
Completed.
PS F:\Programs\Forensics>

PS C:\Users\Peter\Downloads> ./NtfsMarkBad.exe G: $StartingSector $EndingSector NTFSMARKBAD 0.0.2 x64 https://github.com/jamersonpro/ntfsmarkbad

Scanning volume… First volume sector: 128 Last volume sector: 16511 Bytes per sector: 512 Sectors per cluster: 8 Total cluster count: 2047 The number of clusters skipped since they already marked bad: 0 The number of clusters skipped since they are in use: 131 The number of selected clusters: 0 No clusters to add to the Bad Clusters File.

CHKDSK Sample Output

PS C:\Users\Peter\BadBlocksTest> chkdsk /f G:
The type of the file system is NTFS.

Chkdsk cannot run because the volume is in use by another
process.  Chkdsk may run if this volume is dismounted first.
ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.
Would you like to force a dismount on this volume? (Y/N)