Computer Forensics: Re: Having trouble breaking partitions out of a raw image

Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Computer Forensics Computer-Forensics

[Top] [All Lists]

Re: Having trouble breaking partitions out of a raw image

from [subscribe] Network Security

[Permanent Link]

Subject:	Re: Having trouble breaking partitions out of a raw image
Date:	Sun, 23 Oct 2005 21:23:50 -0400

Christopher,

2) Next, I wanted to break out the raw image into it's partitions, so I ran
mmls:

root@LinuxForensics usbdisk]# mmls -t dos image.dd


You might try 'sfdisk -uS -l image.dd' in the future.  Unless, of
course, it's a MAC image, then 'mmls' is your choice.

[root@LinuxForensics usbdisk]# file image3.dd
image3.dd: data


As a sanity check, authenticate the file system (/dev/target#) against
this newly ripped image file of the file system from the 80GB physical
image.  (Just to make sure the MD5/SHA1 equal)

Aside from that, 'file' isn't always best to determine type of file when
it comes to FS types.  You might get better mileage passing the 's' flag
to your command;

file -s image.dd

?

One last thing....I ran fdisk -lu on the image.  It does not show as
bootable (which is odd since I was told it was the only disk in the system).


Some operating systems don't require the bootable flag to be set in the
partition record field.  


cheers!

farmerdude

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Having trouble breaking partitions out of a raw image, Croad Christopher D Ctr AFRL/IFOS RE: Having trouble breaking partitions out of a raw image, Mike Parkhurst Re: Having trouble breaking partitions out of a raw image, Randy Schrickel RE: Having trouble breaking partitions out of a raw image, Gary Funck RE: Having trouble breaking partitions out of a raw image, Chris Eagle Re: Having trouble breaking partitions out of a raw image, subscribe <= Re: Having trouble breaking partitions out of a raw image, Jonathan Glass (GM)

Previous by Date:	RE: Having trouble breaking partitions out of a raw image, Chris Eagle
Next by Date:	RE: Worm Origin, frederic.stonesifer
Previous by Thread:	RE: Having trouble breaking partitions out of a raw image, Chris Eagle
Next by Thread:	Re: Having trouble breaking partitions out of a raw image, Jonathan Glass (GM)
Indexes:	[Date] [Thread] [Top] [All Lists]