http://www.forensicswiki.org/w/index.php?title=How_to_analyse_partitions&feed=atom&action=history How to analyse partitions - Revision history 2013-06-19T09:46:05Z Revision history for this page on the wiki MediaWiki 1.21.1 http://www.forensicswiki.org/w/index.php?title=How_to_analyse_partitions&diff=4987&oldid=prev Uwe Hermann: Category. 2006-05-16T00:00:47Z <p>Category.</p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 00:00, 16 May 2006</td> </tr><tr><td colspan="2" class="diff-lineno">Line 27:</td> <td colspan="2" class="diff-lineno">Line 27:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160;&#160; 08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160;&#160; 08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>(Examples from <del class="diffchange diffchange-inline"> </del>[http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12])</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>(Examples from [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12])</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">== External Links ==</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">* [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12: Using mmls from The Sleuth Kit]</ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>&#160;</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">[[Category:Howtos]]</ins></div></td></tr> </table> Uwe Hermann http://www.forensicswiki.org/w/index.php?title=How_to_analyse_partitions&diff=4986&oldid=prev Uwe Hermann: Howto:Partitions moved to How to analyse partitions: Move to HOWTO name. 2006-05-15T23:58:41Z <p><a href="/w/index.php?title=Howto:Partitions&amp;action=edit&amp;redlink=1" class="new" title="Howto:Partitions (page does not exist)">Howto:Partitions</a> moved to <a href="/wiki/How_to_analyse_partitions" title="How to analyse partitions">How to analyse partitions</a>: Move to HOWTO name.</p> <table class='diff diff-contentalign-left'> <tr style='vertical-align: top;'> <td colspan='1' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='1' style="background-color: white; color:black; text-align: center;">Revision as of 23:58, 15 May 2006</td> </tr></table> Uwe Hermann http://www.forensicswiki.org/w/index.php?title=How_to_analyse_partitions&diff=4985&oldid=prev Uwe Hermann at 13:37, 2 May 2006 2006-05-02T13:37:47Z <p></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 13:37, 2 May 2006</td> </tr><tr><td colspan="2" class="diff-lineno">Line 1:</td> <td colspan="2" class="diff-lineno">Line 1:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>A How-to for dealing with partitions.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>A How-to for dealing with partitions.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>[http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12] suggests using the mmls program to display the contents of partitions.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>[http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12] suggests using the <ins class="diffchange diffchange-inline">''</ins>mmls<ins class="diffchange diffchange-inline">'' </ins>program to display the contents of partitions.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>For example:</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>For example:</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 27:</td> <td colspan="2" class="diff-lineno">Line 27:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160;&#160; 08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160;&#160; 08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>(Examples from <del class="diffchange diffchange-inline">SKI </del>#12)</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>(Examples from <ins class="diffchange diffchange-inline"> [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer </ins>#12<ins class="diffchange diffchange-inline">]</ins>)</div></td></tr> </table> Uwe Hermann http://www.forensicswiki.org/w/index.php?title=How_to_analyse_partitions&diff=4984&oldid=prev Simsong at 03:24, 2 May 2006 2006-05-02T03:24:47Z <p></p> <p><b>New page</b></p><div>A How-to for dealing with partitions.<br /> <br /> [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12] suggests using the mmls program to display the contents of partitions.<br /> <br /> For example:<br /> <br /> # mmls -t dos disk.dd<br /> Slot Start End Length Description<br /> 00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)<br /> 01: ----- 0000000001 0000000062 0000000062 Unallocated<br /> 02: 00:00 0000000063 0002056319 0002056257 Win95 FAT32 (0x0B)<br /> 03: 00:01 0002056320 0008209214 0006152895 OpenBSD (0xA6)<br /> 04: 00:02 0008209215 0019999727 0011790513 FreeBSD (0xA5)<br /> <br /> You can use mmls to examine the OpenBSD and FreeBSD partitions that are inside the DOS partition:<br /> <br /> # mmls -t bsd -o 2056321 disk.dd<br /> Length Description<br /> 00: 02 0000000000 0019999727 0019999728 Unused (0x00)<br /> 01: 08 0000000063 0002056319 0002056257 MSDOS (0x08)<br /> 02: 00 0002056320 0002260943 0000204624 4.2BSD (0x07)<br /> 03: 01 0002260944 0002875823 0000614880 Swap (0x01)<br /> 04: 03 0002875824 0003080447 0000204624 4.2BSD (0x07)<br /> 05: 04 0003080448 0003233663 0000153216 4.2BSD (0x07)<br /> 06: 07 0003233664 0004257791 0001024128 4.2BSD (0x07)<br /> 07: 06 0004257792 0008209214 0003951423 4.2BSD (0x07)<br /> 08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)<br /> <br /> (Examples from SKI #12)</div> Simsong