MBR Backup

Discussion in 'backup, imaging & disk mgmt' started by TheKid7, Feb 27, 2013.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I was thinking of the following possible future situation: A PC is infected with a Rootkit/Bootkit and won't boot. I want to save/backup the infected MBR for later Malware analysis.

    If a person wanted to backup only the MBR using a Live CD or bootable media, what would be the best way and preferred Software/OS for backing up the MBR?

    Thanks in Advance.
     
  2. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    With OS off you can use e.g. MbrFix - a command line interface (CLI) app..
    With OS on you can use MBRBackup - a TrojanHunter tool.

    Both allows to backup and restore MBR.
     
  3. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,634
    Location:
    NSW, Australia
    MBRWork from TeraByte Unlimited. You can also create a new MBR with this tool if you didn't have your infected MBR previously backed up.
     
  4. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,279
    Not compatible with Windows 7 x64.
     
  5. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    I have just confirm... ;)
     
  6. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,634
    Location:
    NSW, Australia
    Guys,

    I have Win8 64-bit. MBRWork works fine. Why do you say it doesn't work with Win7?
     
  7. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,634
    Location:
    NSW, Australia
    I just tested it with Win7 64-bit. It works fine.
     
  8. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Can do it from any Linux live CD/USB, from the command-line using dd.

    You simply need to grab the first bit of the disk:

    dd if=/dev/sda of=/mbr.bak bs=446 count=1

    Cheers, Nick
     
  9. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,279
    I get an error message: "The version of this file is not compatible with the Windows version you are using..." (translated).
     
  10. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,634
    Location:
    NSW, Australia
  11. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,634
    Location:
    NSW, Australia
    Even easier. You can put it on a TBOSDT UFD.
     
  12. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    How do you set up/use a TBOSDT UFD?
     
  13. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,634
    Location:
    NSW, Australia
    Sure.

    http://www.terabyteunlimited.com/tbosdt.htm#download

    In the DOS_TBOS folder double click maketbos.exe
    In the optional components select TeraByte Command Script Processor
    Leave the defaults for the flash drive

    Copy mbrwork.exe to the flash drive

    Boot from the flash drive and you will see this prompt

    >

    Type mbrwork.exe and press Enter

    HD0 will be the flash drive but this is BIOS dependent. Use Option 7 (Change active hard drive) to find your relevant HD. If you are uncertain, disconnect the non boot HDs and try again.

    Option 1 (Backup First Track) This backs up LBA 0 to LBA 63. The MBR is LBA 0. (Some apps call the First Track the MBR)
    Exit

    Have a look at the flash drive in Windows and you will see BACKUP1.BIN with a file size of 32 KB.

    To restore the backup, boot from the flash drive, start mbrwork.exe, find your HD.
    Because you now have a backup on the flash drive you will have Option 2 (Restore First Track)
    Option 2
    You will see a Warning and be asked if you want to continue
    Y
    Exit

    It's easy. Just make sure you are working on the correct HD.
     
    Last edited: Feb 28, 2013
  14. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Thank you.
     
Loading...
Thread Status:
Not open for further replies.