ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "How to analyse partitions" and "How to recover deleted files"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Howto:Partitions moved to How to analyse partitions: Move to HOWTO name.)
 
m (HowTo:Sleuth Kit moved to How to recover deleted files: Moved title to name of the HOWTO. I'll create a "Howtos" category now, where we can put all the HOWTOs...)
 
Line 1: Line 1:
A How-to for dealing with partitions.
+
Using the [[Sleuth Kit]] to:
  
[http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12] suggests using the ''mmls'' program to display the contents of partitions.
+
* [http://www.sleuthkit.org/informer/sleuthkit-informer-14.html Recover deleted files]
 
+
For example:
+
 
+
  # mmls -t dos disk.dd
+
  Slot Start End Length Description
+
  00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
+
  01: ----- 0000000001 0000000062 0000000062 Unallocated
+
  02: 00:00 0000000063 0002056319 0002056257 Win95 FAT32 (0x0B)
+
  03: 00:01 0002056320 0008209214 0006152895 OpenBSD (0xA6)
+
  04: 00:02 0008209215 0019999727 0011790513 FreeBSD (0xA5)
+
 
+
You can use mmls to examine the OpenBSD and FreeBSD partitions that are inside the DOS partition:
+
 
+
  # mmls -t bsd -o 2056321 disk.dd
+
  Length Description
+
  00: 02 0000000000 0019999727 0019999728 Unused (0x00)
+
  01: 08 0000000063 0002056319 0002056257 MSDOS (0x08)
+
  02: 00 0002056320 0002260943 0000204624 4.2BSD (0x07)
+
  03: 01 0002260944 0002875823 0000614880 Swap (0x01)
+
  04: 03 0002875824 0003080447 0000204624 4.2BSD (0x07)
+
  05: 04 0003080448 0003233663 0000153216 4.2BSD (0x07)
+
  06: 07 0003233664 0004257791 0001024128 4.2BSD (0x07)
+
  07: 06 0004257792 0008209214 0003951423 4.2BSD (0x07)
+
  08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)
+
 
+
(Examples from  [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12])
+

Revision as of 23:55, 15 May 2006

Using the Sleuth Kit to: