Difference between pages "User talk:Simsong" and "How to analyse partitions"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Answers.)
 
m
 
Line 1: Line 1:
== Categories ==
+
A How-to for dealing with partitions.
  
As a Wikipedia user, I have noticed that none of your articles have categories. Did you know that categories exist in MediaWiki? If yes, is there a reason? I would like to start work on it. [[Special:Categories]], http://meta.wikimedia.org/wiki/Help:Category --[[User:Midnightcomm|Midnightcomm]] 01:09, 23 April 2006 (EDT)
+
[http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12] suggests using the mmls program to display the contents of partitions.
  
:Woah, I don't know much about Categories. How would I add them? What are they for?
+
For example:
  
::[http://en.wikipedia.org/wiki/Wikipedia:Categorization Categories] are used to help organize pages. I also see that there are no help articles, in the absance if them, I will be using the Wikipedia [http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style style guides]. --[[User:Midnightcomm|Midnightcomm]] 01:09, 23 April 2006 (EDT)  
+
  # mmls -t dos disk.dd
::<nowiki>[[Category:File Systems]]</nowiki>
+
  Slot Start End Length Description
 +
  00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
 +
  01: ----- 0000000001 0000000062 0000000062 Unallocated
 +
  02: 00:00 0000000063 0002056319 0002056257 Win95 FAT32 (0x0B)
 +
  03: 00:01 0002056320 0008209214 0006152895 OpenBSD (0xA6)
 +
  04: 00:02 0008209215 0019999727 0011790513 FreeBSD (0xA5)
  
:::Sounds good to me. We welcome your contributions.
+
You can use mmls to examine the OpenBSD and FreeBSD partitions that are inside the DOS partition:
  
:::Yay! I'm all for categories. I've started adding some (tools, licenses, OSes, ...), feel free to add more and categorize the articles. --[[User:Uwe Hermann|Uwe Hermann]] 15:03, 23 April 2006 (EDT)
+
  # mmls -t bsd -o 2056321 disk.dd
 +
  Length Description
 +
  00: 02 0000000000 0019999727 0019999728 Unused (0x00)
 +
  01: 08 0000000063 0002056319 0002056257 MSDOS (0x08)
 +
  02: 00 0002056320 0002260943 0000204624 4.2BSD (0x07)
 +
  03: 01 0002260944 0002875823 0000614880 Swap (0x01)
 +
  04: 03 0002875824 0003080447 0000204624 4.2BSD (0x07)
 +
  05: 04 0003080448 0003233663 0000153216 4.2BSD (0x07)
 +
  06: 07 0003233664 0004257791 0001024128 4.2BSD (0x07)
 +
  07: 06 0004257792 0008209214 0003951423 4.2BSD (0x07)
 +
  08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)
  
::::How do you add categories? --SImson
+
(Examples from SKI #12)
 
+
::::: Usually you just add <nowiki>[[Category:Foobar]]</nowiki> somewhere at the bottom of the page, more info [http://meta.wikimedia.org/wiki/Help:Category here]. For the tools, I have incorporated the category into the Infobox, see [[dd]] for an example. It looks a bit stupid in the wiki source, but keeps the wiki category and the "Genre:" classification in one place, which is important IMHO. Btw, you can sign your "posts" with "<nowiki>--~~~~</nowiki>" which will expand to username and date, just like on this post. --[[User:Uwe Hermann|Uwe Hermann]] 21:45, 2 May 2006 (EDT)
+
 
+
== Tools ==
+
 
+
Hi, a quick message regarding [[Tools]]: it's true that [[Tools]] was getting quite big, but I think one page which lists ''all'' tools with a one-liner description is actually quite useful. For better readability and so on, I suggest we use categories which breaks up the tools quite nicely, too. Thoughts? --[[User:Uwe Hermann|Uwe Hermann]] 15:26, 30 April 2006 (EDT)
+
 
+
:Well, there are so many different kinds of tools. I don't see the advantage of having tools about reconstructing MBRs on the same page as tools that do anti-forensics. Somebody who wants to see all of the tools can do a search for "Tools."
+
 
+
::Hm, true. Maybe there's a possibility to show all items in a category (and it's subcategories) on one page, that'd be nice and sufficient. Will check... --[[User:Uwe Hermann|Uwe Hermann]] 21:45, 2 May 2006 (EDT)
+

Revision as of 22:24, 1 May 2006

A How-to for dealing with partitions.

Sleuth Kit Informer #12 suggests using the mmls program to display the contents of partitions.

For example:

 # mmls -t dos disk.dd
  	Slot	Start	End	Length	Description
 00:	-----	 0000000000	0000000000	0000000001	Primary Table (#0)
 01:	-----	0000000001	0000000062	0000000062	Unallocated
 02:	00:00	0000000063	0002056319	0002056257	Win95 FAT32 (0x0B)
 03:	00:01	0002056320	0008209214	0006152895	OpenBSD (0xA6)
 04:	00:02	0008209215	0019999727	0011790513	FreeBSD (0xA5)

You can use mmls to examine the OpenBSD and FreeBSD partitions that are inside the DOS partition:

 # mmls -t bsd -o 2056321 disk.dd
 Length	Description
 00:	02	0000000000	0019999727	0019999728	Unused (0x00)
 01:	08	0000000063	0002056319	0002056257	MSDOS (0x08)
 02:	00	0002056320	0002260943	0000204624	4.2BSD (0x07)
 03:	01	0002260944	0002875823	0000614880	Swap (0x01)
 04:	03	0002875824	0003080447	0000204624	4.2BSD (0x07)
 05:	04	0003080448	0003233663	0000153216	4.2BSD (0x07)
 06:	07	0003233664	0004257791	0001024128	4.2BSD (0x07)
 07:	06	0004257792	0008209214	0003951423	4.2BSD (0x07)
 08:	 09	0008209215	0019984859	0011775645	Unknown (0x0A)

(Examples from SKI #12)