Difference between revisions of "Identifying file systems"

From Forensics Wiki
Jump to: navigation, search
m (New page: There are many ways to identify a file system inside a partition. When an operating system attempts to mount a partition, it may use the ID from the partition table. There are several to...)
 
m
Line 6: Line 6:
 
* [[blkid]]
 
* [[blkid]]
 
* [[parted]]
 
* [[parted]]
 +
* [[testdisk]]
  
 
In general you should not rely on the partition record for determining the partition type.
 
In general you should not rely on the partition record for determining the partition type.
  
 
Some of the test images created for the [http://wiki.sleuthkit.org/index.php?title=Case_Studies Honeynet Challenges] have multiple file systems contained in a single partition.
 
Some of the test images created for the [http://wiki.sleuthkit.org/index.php?title=Case_Studies Honeynet Challenges] have multiple file systems contained in a single partition.

Revision as of 22:58, 25 April 2008

There are many ways to identify a file system inside a partition.

When an operating system attempts to mount a partition, it may use the ID from the partition table.

There are several tools that can identify the partition from the data it contains, including:

In general you should not rely on the partition record for determining the partition type.

Some of the test images created for the Honeynet Challenges have multiple file systems contained in a single partition.