It simulates several crash situation that you will be able to easily reproduce and examine within these tools.

Prerequisite :

• IDA Pro (6.0) with the IDA Python plug-in (1.4.3)

Steps :

1. Prepare your forensic disk image.
   In general, it is that simple :

   $ dd if=<source> of=disk.img bs=65536 conv=noerror

   Or :

   $ ddrescue -n <source> <dest> file.log

   Check the disk geometry using :

   $ fdisk -luc disk.img

   These values will be useful for step 5.
   However, if you have an exotic disk, it may be much trickier. For example, I got some geometry errors with a flash disk when using Bochs at step 11. Special thanks to Gene Cumm from the bochs-developpers mailing list who gave me the tip to specify the geometry to dd :

   $ dd if=input of=output bs=2064384 count=507

Refer to CHS if you wonder how to get these values.

2. Extract the MBR from the disk or from the image you just took.

   $ dd if=<source> of=mbr.dump bs=512 count=5

3. Download and install the Bochs x86-64 emulator, which comes with a debugger that will work nicely with IDA.
4. Download this archive from Hexblog (IDA Pro’s blog). We will use two files from there : bochrc, wich is the configuration file for Bochs, and mbr.py which a python file helpful from preparing the debugging environment.
5. Copy bochrc in your working directory and edit the following line to match your disk image geometry :

   ata0-master: type=disk, path="sdb.img", mode=flat, cylinders=507, heads=64, spt=63

   Before going on, you may test that Bochs can use the image with these settings :

   C:\>"c:\Program Files\Bochs-2.4.5\bochsdbg.exe" -f bochsrc -q

6. In the same directory, copy mbr.py and edit the following settings :

   # Some constants
   SECTOR_SIZE = 512
   BOOT_START  = 0x7C00
   BOOT_SIZE   = 0x7C00 + SECTOR_SIZE * 4
   BOOT_END    = BOOT_START + BOOT_SIZE
   SECTOR2     = BOOT_START + SECTOR_SIZE
   MBRNAME    = "mbr.img"
   IMGNAME     = "sdb.img"

7. Now open a console and type :

   C:\> mbr update

8. With IDA Pro, open the boshrc file. IDA should recognize the format and set the proper settings.
9. From the menu, open File/Script File and select mbr.py. It will close IDA after execution.
10. Open again your *.idb file, set a breakpoint at 0x7C00.
11. Start the debugger.

You should now be able to go ahead and debug the MBR step by step.

References :

• Hexblog : Develop your master boot record and debug it with IDA Pro and the Bochs debugger plugin
• MISC Magazine #53 : Votre MBR pris en otage ! – Nicolas Brulez (Kaspersky labs)
• Bochs User Manual : Chapter 8, Tips and Techniques

It shows and allows to configure the global settings, but also, and this is the most interesting part, indicated for each process running if it supports those security measures. It is even able to enforce the protections for each application which would not support it natively (i.e. not set at compilation time).