Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Hard disk file system identification

from [DELHOMME Olivier DGPN-DCPJ-PTS] Network Security [Permanent Link]
Subject: Re: Hard disk file system identification
Date: Thu, 30 Sep 2004 20:02:06 +0200 


De : Nick Puetz <nickpuetz@yahoo.com>
Date : Thu, 30 Sep 2004 13:42:58 +0200
À : forensics@securityfocus.com
Objet : Hard disk file system identification



Hello,
 

I have received an internal hard drive that I need to image and perform
some analysis on; however, I don't know the file system type on the
disk, there for, I can not correctly mount it to the RedHat 9 machine I
used to do my image creation and analysis.  Is there any way that I can
identify what file system type is on a hard disk without jeopardizing
the integrity of the hard disk?  Thanks for the help.

Nick


If you have a dd raw image file you can do a 'fdisk -lu yourimage.raw'. This
will tell you the partition scheme and also the filesystems involved. Do not
forget to tell the offset to mount. Here is an example :

Consider that we have done a dd raw image of a disque and that we named it
"maxtor-A21S6LTC."

'fdisk -lu maxtor-A21S6LTC' leads to

 Disque maxtor-A21S6LTC : 255 têtes, 63 secteurs, 0 cylindres
    Unités = secteurs sur 1 * 512 octets

    Périphérique Amorce    Début       Fin    Blocs   Id  Système
    maxtor-A21S6LTC1   *        63   8177084   4088511    b  Win95 FAT32
    maxtor-A21S6LTC2       8177085   8418059    120487+  16  FAT16 caché

This is a localised french output ! So we have 2 partitions : one vfat32 and
one hidden fat16.

Now we can mount those partitions with the following commands :

'mount maxtor-A21S6LTC /mnt/part1 -o ro,loop,offset=32256,umask=222 -t vfat'
'mount maxtor-A21S6LTC /mnt/part2 -o ro,loop,offset=4186667520,umask=222 -t
vfat'

Please be sure to use the 2.12b version of the util-linux package  as
offsets are 64 bits in that version (31 bits in the previous versions). You
can find the source on the kernel.org site in /pub/linux/utils/util-linux

Hope this helps.

-- 
Olivier DELHOMME
Engineer
Head of the Forensic Computer Laboratory
DCPJ / SDPTS / SITT / LATS

Tel +33 (0) 4.72.86.84.60
Fax +33 (0) 4.72.86.85.24


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Encrypted Disks, KC Ferguson
Next by Date:  RE: Encrypted Disks, Craig, Tobin
Previous by Thread:  RE: Hard disk file system identification, Jerry Shenk
Next by Thread:  Re: Hard disk file system identification, DELHOMME Olivier DGPN-DCPJ-PTS
Indexes:  [Date] [Thread] [Top] [All Lists]