Difference between pages "Academic research" and "How to analyse partitions"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(added Brian's PhD thesis)
 
m
 
Line 1: Line 1:
'''A Hypothesis-Based Approach to Digital Forensic Investigations,''' Brian D. Carrier, Ph.D. Dissertation
+
A How-to for dealing with partitions.
Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf
+
  
'''Computer Forensic Text Analysis with Open Source Software,''' Christian Johansson, Masters Thesis.  http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf
+
[http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12] suggests using the ''mmls'' program to display the contents of partitions.
 +
 
 +
For example:
 +
 
 +
  # mmls -t dos disk.dd
 +
  Slot Start End Length Description
 +
  00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
 +
  01: ----- 0000000001 0000000062 0000000062 Unallocated
 +
  02: 00:00 0000000063 0002056319 0002056257 Win95 FAT32 (0x0B)
 +
  03: 00:01 0002056320 0008209214 0006152895 OpenBSD (0xA6)
 +
  04: 00:02 0008209215 0019999727 0011790513 FreeBSD (0xA5)
 +
 
 +
You can use mmls to examine the OpenBSD and FreeBSD partitions that are inside the DOS partition:
 +
 
 +
  # mmls -t bsd -o 2056321 disk.dd
 +
  Length Description
 +
  00: 02 0000000000 0019999727 0019999728 Unused (0x00)
 +
  01: 08 0000000063 0002056319 0002056257 MSDOS (0x08)
 +
  02: 00 0002056320 0002260943 0000204624 4.2BSD (0x07)
 +
  03: 01 0002260944 0002875823 0000614880 Swap (0x01)
 +
  04: 03 0002875824 0003080447 0000204624 4.2BSD (0x07)
 +
  05: 04 0003080448 0003233663 0000153216 4.2BSD (0x07)
 +
  06: 07 0003233664 0004257791 0001024128 4.2BSD (0x07)
 +
  07: 06 0004257792 0008209214 0003951423 4.2BSD (0x07)
 +
  08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)
 +
 
 +
(Examples from [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12])

Revision as of 08:37, 2 May 2006

A How-to for dealing with partitions.

Sleuth Kit Informer #12 suggests using the mmls program to display the contents of partitions.

For example: 

 # mmls -t dos disk.dd
  	Slot	Start	End	Length	Description
 00:	-----	 0000000000	0000000000	0000000001	Primary Table (#0)
 01:	-----	0000000001	0000000062	0000000062	Unallocated
 02:	00:00	0000000063	0002056319	0002056257	Win95 FAT32 (0x0B)
 03:	00:01	0002056320	0008209214	0006152895	OpenBSD (0xA6)
 04:	00:02	0008209215	0019999727	0011790513	FreeBSD (0xA5)

You can use mmls to examine the OpenBSD and FreeBSD partitions that are inside the DOS partition: 

 # mmls -t bsd -o 2056321 disk.dd
 Length	Description
 00:	02	0000000000	0019999727	0019999728	Unused (0x00)
 01:	08	0000000063	0002056319	0002056257	MSDOS (0x08)
 02:	00	0002056320	0002260943	0000204624	4.2BSD (0x07)
 03:	01	0002260944	0002875823	0000614880	Swap (0x01)
 04:	03	0002875824	0003080447	0000204624	4.2BSD (0x07)
 05:	04	0003080448	0003233663	0000153216	4.2BSD (0x07)
 06:	07	0003233664	0004257791	0001024128	4.2BSD (0x07)
 07:	06	0004257792	0008209214	0003951423	4.2BSD (0x07)
 08:	 09	0008209215	0019984859	0011775645	Unknown (0x0A)

(Examples from Sleuth Kit Informer #12)

Retrieved from "http://www.forensicswiki.org/w/index.php?title=Academic_research&oldid=4985"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox