RE: Hard disk file system identification

> -----Original Message-----
> From: Eagle Investigative Services, Inc. 
> [mailto:info@eaglepiservices.com] 
> Sent: Thursday, September 30, 2004 1:00 PM
> To: 'Altheide, Cory B. (IARC)'; 'Nick Puetz'
> Cc: forensics@securityfocus.com
> Subject: RE: Hard disk file system identification
>
>
> Cory brings up a valid point. The partition type entry could 
> be modified to thwart the efforts of an examiner. 
>
> Since he wasn't willing to offer an actual solution, you could do the
> following:
>
> 1. Copy the start of the file system into a file. 
>
> 2. Post it to the sleuthkit.org mailing list. 
>
> 3. Brian Carrier will almost surely recognize it immediately 
> and let you know. 
>
> EIS. 

Actually I did offer a (possible) solution in the email you replied to, and
offered an additional solution in an email sent earlier to the list and
directly to Nick.  It hasn't gone through to the list, yet, however.

> From the parent email: "Running cfdisk interactively will, however, display
the file system present on any Linux (0x83) volumes, at least for ext2/3."

And from my previous email: 
"root@yourbox # fdisk -l /dev/hd?
root@yourbox # file /dev/hd?X"

File is able to determine the partition type/file system fairly well in many
cases.  Should file simply spit out "block device" or something similar, try
"dd if=/dev/hd?X bs=512 count=1 | file -"

-- Cory


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com