PURPOSE OPERATION OPTIONS COMMAND LINES RELATED PROGRAMS
SYSTEMS attempts to determine what type of operating boot sectors and/or partition tables are resident on a hard disks.
The user can use boot sector signatures (such as MSDOS, NT, IBM) built into the program to identify boot sectors and partition tables, or the user can supply a specific file containing custom signatures.
* The suspect computer should be booted with a WIN9X bootable floppy disk.
The program should be able to operate on any physical hard disk regardless of operating system present on that disk. (after all, the purpose of this program is to tell the user what systems are on the disk.). However, if the disk is a SCSI disk, and the proper drivers were not installed, there may be a problem. If the SCSI controller has the bios turned off this may also pose a problem. This situation may occur when the suspect has two SCSI controllers in the computer. One may have the bios turned off, which in some tests precluded a DOS 6.22 boot disk from seeing the drives.
The program reads the MBR, the BIOS and if it available the LBA information of a disk. It will show all hard drives on the system and ask the user which one to interrogate. It will then attempt to read the first sector of heads 0 and 1 from every track on the hard disk selected. It will look for the following strings in the 1st 10 characters of these sectors. "IBM","DOS","NTFS","OS2" and "NOVELL". and it will look at the last 2 characters for 0x55AA indicating a system sector.
If it finds any of these items, it will identify the track and sector as containing a possible partition or boot code. If no output file is selected the contents of the sector are shown. If output is selected, the contents are placed in the output file along with appropriate identifying information.
The program uses disk parameters from the LBA, BIOS or MBR in that order of priority. The information shown to the user regarding the drives, indicates with a * which calculation mode is being used to calculate the number of tracks on the drive.
THE AUTHOR ACCEPTS NO RESPONSIBILITY FOR DAMAGE DONE TO DISKS OR DATA AS A RESULT OF USING THIS PROGRAM.
In addition, SYSTEMS has the capability with the -S option to capture to separate files on a disk all the partition and boot record sectors it finds. Programs such as rescue and others only capture the master partition table (head 0, track 0, sector 1). However they do not capture any information in additional or extended partitions. If one of those partitions gets corrupted they cannot be recovered. The -S option allows you to capture to a file the contents of every partition and boot record SYSTEMS identifies. Then at a later time, using a disk editor type program the sector can be manually replaced.
When the -S option is used, it creates output files with names generated according to the head and track the sectors were retrieved from. The file name structure is TTT_HH where the TTT is a three digit number indicating the track(cylinder) the sector comes from, and the HH indicates the head. Both numbers start at 0. The data is always retrieved from sector 1, so that is irrevelent for the file name. If no path is provided to the -S option, these files are generated in the root directory of A:\. So you better have a disk in the drive.
LINUX NOTE:
Linux has the ability of formatting and partitioning the drive into (if you will) “its own image”. This means that the program “SYSTEMS” will properly identify as part of the partition table the various LINUX partitions, their beginning and ending tracks. However, Linux SWAP partitions do not contain the traditional hex 55AA signature at the end of the sector. So when scanning occurs, that partition is not locatd. You must use the partition information to identify these “eXtra” Linux partitions. Also, some of the other partitions on the drive may not be detected as being in the first head. However, the MBR will properly reflect the partitions.
C:>systems -[options[-d# -p -n# -O filename -F filename -? -b]]
C:>systems -d 0 -o output.fle
normal default running of hard disk 0, output to output.fle
C:>systems -d 0 -S
do physical drive 0, and save the parition information to files on A:\
C:>systems -d 1 -S c:\temp
do physical drive 1, and save the parition information to files in C:\TEMP subdirectory. DO NOT enter any file names. Just the path.
-b: print some debugging information
-d #: # = = the drive to check, C: or D: c and d are physical drives 0 and 1. no tests have been done for drives 2 through X. But they may work in certain situations.
-f signature_file_name the name of the file containing additional signatures. must be carriage return delimeted. See signatures below:
-n #: where # is the default characters to check. Program default is 1st 10 characters per sector. This can changed if necessary.
-o filename filename where to put output information. output file contains track, and printout of data found
-P: Pause at start of program in addition to every signature
-p: Pause whenever a signature is found
-s + dr:\path ‘S’ave the partition and boot records into files located in appropriate path as provided. C:\TMP (etc). (DO NOT ENTER FILENAMES)
SIGNATURES:
If more signatures are needed, there are two ways to do it.
First method: Create a text file, return delimeted with the additional strings to check, and use the -f options.
Second method: Add them to a text file, and use the binary copy to append them to the end of the .exe program. (copy /b systems.exe + signatures new.exe). The program first defaults to its internal strings, then reads those at the end of the program and lastly reads the additional signatures from the -f option:
Norton Diskeditor