ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "How to analyse partitions"

From ForensicsWiki
Jump to: navigation, search
m
(Category.)
 
(One intermediate revision by the same user not shown)
Line 27: Line 27:
 
   08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)
 
   08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)
  
(Examples from [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12])
+
(Examples from [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12])
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12: Using mmls from The Sleuth Kit]
 +
 
 +
[[Category:Howtos]]

Latest revision as of 00:00, 16 May 2006

A How-to for dealing with partitions.

Sleuth Kit Informer #12 suggests using the mmls program to display the contents of partitions.

For example:

 # mmls -t dos disk.dd
  	Slot	Start	End	Length	Description
 00:	-----	 0000000000	0000000000	0000000001	Primary Table (#0)
 01:	-----	0000000001	0000000062	0000000062	Unallocated
 02:	00:00	0000000063	0002056319	0002056257	Win95 FAT32 (0x0B)
 03:	00:01	0002056320	0008209214	0006152895	OpenBSD (0xA6)
 04:	00:02	0008209215	0019999727	0011790513	FreeBSD (0xA5)

You can use mmls to examine the OpenBSD and FreeBSD partitions that are inside the DOS partition:

 # mmls -t bsd -o 2056321 disk.dd
 Length	Description
 00:	02	0000000000	0019999727	0019999728	Unused (0x00)
 01:	08	0000000063	0002056319	0002056257	MSDOS (0x08)
 02:	00	0002056320	0002260943	0000204624	4.2BSD (0x07)
 03:	01	0002260944	0002875823	0000614880	Swap (0x01)
 04:	03	0002875824	0003080447	0000204624	4.2BSD (0x07)
 05:	04	0003080448	0003233663	0000153216	4.2BSD (0x07)
 06:	07	0003233664	0004257791	0001024128	4.2BSD (0x07)
 07:	06	0004257792	0008209214	0003951423	4.2BSD (0x07)
 08:	 09	0008209215	0019984859	0011775645	Unknown (0x0A)

(Examples from Sleuth Kit Informer #12)

External Links