Difference between revisions of "How to analyse partitions"

From ForensicsWiki
Jump to: navigation, search
m
 
(Category.)
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
A How-to for dealing with partitions.
 
A How-to for dealing with partitions.
  
[http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12] suggests using the mmls program to display the contents of partitions.
+
[http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12] suggests using the ''mmls'' program to display the contents of partitions.
  
 
For example:
 
For example:
Line 27: Line 27:
 
   08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)
 
   08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)
  
(Examples from SKI #12)
+
(Examples from [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12])
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12: Using mmls from The Sleuth Kit]
 +
 
 +
[[Category:Howtos]]

Latest revision as of 19:00, 15 May 2006

A How-to for dealing with partitions.

Sleuth Kit Informer #12 suggests using the mmls program to display the contents of partitions.

For example:

 # mmls -t dos disk.dd
  	Slot	Start	End	Length	Description
 00:	-----	 0000000000	0000000000	0000000001	Primary Table (#0)
 01:	-----	0000000001	0000000062	0000000062	Unallocated
 02:	00:00	0000000063	0002056319	0002056257	Win95 FAT32 (0x0B)
 03:	00:01	0002056320	0008209214	0006152895	OpenBSD (0xA6)
 04:	00:02	0008209215	0019999727	0011790513	FreeBSD (0xA5)

You can use mmls to examine the OpenBSD and FreeBSD partitions that are inside the DOS partition:

 # mmls -t bsd -o 2056321 disk.dd
 Length	Description
 00:	02	0000000000	0019999727	0019999728	Unused (0x00)
 01:	08	0000000063	0002056319	0002056257	MSDOS (0x08)
 02:	00	0002056320	0002260943	0000204624	4.2BSD (0x07)
 03:	01	0002260944	0002875823	0000614880	Swap (0x01)
 04:	03	0002875824	0003080447	0000204624	4.2BSD (0x07)
 05:	04	0003080448	0003233663	0000153216	4.2BSD (0x07)
 06:	07	0003233664	0004257791	0001024128	4.2BSD (0x07)
 07:	06	0004257792	0008209214	0003951423	4.2BSD (0x07)
 08:	 09	0008209215	0019984859	0011775645	Unknown (0x0A)

(Examples from Sleuth Kit Informer #12)

External Links