Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Having trouble breaking partitions out of a raw image

from [Croad Christopher D Ctr AFRL/IFOS] Network Security [Permanent Link]
Subject: Having trouble breaking partitions out of a raw image
Date: Wed, 19 Oct 2005 12:51:07 -0000 
I'm a little bit new to doing forensics, and I've run into something I
haven't seen before.

1) I created an 80Gig image of the entire drive using adepto (aka grab).
For purposes of this e-mail, the image is call image.dd.

2) Next, I wanted to break out the raw image into it's partitions, so I ran
mmls:

root@LinuxForensics usbdisk]# mmls -t dos image.dd
DOS Partition Table
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000001   0000000062   0000000062   Unallocated
02:  00:00   0000000063   0002104514   0002104452   Linux Swap / Solaris x86
(0x82)
03:  00:01   0002104515   0156296384   0154191870   Linux (0x83)

3) I then used dd to pull out the Linux (0x83) partition:
[root@LinuxForensics usbdisk]# dd if=image.dd of=image3.dd bs=512
skip=2104515 count=154191870

4) This ran fine.  I then wanted to verify that the data looked OK, so I did
a "file" command
[root@LinuxForensics usbdisk]# file image3.dd
image3.dd: data

5) What?  This should have said it was a Linux filesystem, yes? (it has when
I have done other drives) I rechecked all of my values for the dd command in
step 3.  I looked at the first 1000 blocks of data in image3.dd with a hex
editor, and the first 0xffff bytes are all 0's.  At offset 0x0001:0000 I
start seeing data, but I'm not sure what it is.  I peeled off the first 1000
blocks from offset 0x0001:0000, ran it through "file", and it still did not
see a Linux file system.  Also to verify that I had grabbed the original
image properly, I grabbed the same 1000 blocks from the original disk and it
matched the first 1000 in image3.dd

Any clues as to what I have done wrong or what I am missing?

One last thing....I ran fdisk -lu on the image.  It does not show as
bootable (which is odd since I was told it was the only disk in the system).
Also, partition 2 had different physical/logical endings....I wasn't sure
what this meant.
[root@LinuxForensics usbdisk]# fdisk -lu image.dd
You must set cylinders.
You can do this from the extra functions menu.

Disk image.dd: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes

   Device Boot      Start         End      Blocks   Id  System
image.dd1              63     2104514     1052226   82  Linux swap / Solaris
image.dd2         2104515   156296384    77095935   83  Linux
Partition 2 has different physical/logical endings:
     phys=(1023, 254, 63) logical=(9728, 254, 63)


Christopher D. Croad - Northrop Grumman
Network Operations/ Air Force Research Lab/ Rome Site
DSN: 587-4970
Commercial: 315-330-4970
Fax: 315-330-8028
e-mail: croadc@rl.af.mil
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Two Windows questions, Greg Kelley
Next by Date:  Memorias Conferencia Internacional sobre Seguridad Informática, Oscar Eduardo Ruiz Bermúdez
Previous by Thread:  Re: real one player /intel signal processing library/ windows xp, ulrik
Next by Thread:  RE: Having trouble breaking partitions out of a raw image, Mike Parkhurst
Indexes:  [Date] [Thread] [Top] [All Lists]