Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: GUID Partition Table (GPT) Recovery

from [Jason Muskat, GCFA, GCUX, de VE3TSJ] Network Security [Permanent Link]
Subject: Re: GUID Partition Table (GPT) Recovery
Date: Wed, 15 Nov 2006 23:34:39 -0500 
Hello,

Part of GPT involves with to do with legacy MBR tables. On many systems the
MBR does not in any way reflect the GPT. In fact it is recommended that the
MBR table show one partition (with a special type) which occupies the entire
disk so as to prevent legacy software/devices/OS from see a un-partitioned
drive and taking "ownership" thereby destroying data.

One should examine both the MBR tables (fdisk), and GPT (parted). Consider a
complex case one can use legacy MBR tables for good data with a GPT pointing
to "secret" data right in the meddle of a MBR partition.

Regards,

-- 
Jason Muskat  | GCFA, GCUX - de VE3TSJ
____________________________
TechDude
e. Jason@TechDude.Ca
m. 416 .414 .9934

http://TechDude.Ca/



From: Brian Carrier <carrier@digital-evidence.org>
Date: Tue, 07 Nov 2006 17:06:02 -0500
To: <forensics@securityfocus.com>
Cc: Thomas Matthews <thomas@lagged.ca>
Subject: Re: GUID Partition Table (GPT) Recovery
Resent-From: <forensics-return-3397@securityfocus.com>
Resent-Date: Sat, 11 Nov 2006 06:25:33 -0700 (MST)

If you just want to identify the partition layout, you can also use
'mmls' from The Sleuth Kit (which now runs on Windows).  You can then
extract the partitions and use any of your favorite tools.

http://www.sleuthkit.org/sleuthkit/

brian




I am interested to know if any of you out there have been
successful at recovering a GPT volume.  The "partition style"
as listed under the Volume tab within the disk device
properties states "GUID Partition Table (GPT)".
I am working with a Promise VTrak M500p SCSI RAID device
using the following configuration:
RAID Level: RAID-5
Capacity: 5.9 TB
Stripe: 64KB
Sector: 2KB
Number of Used Physical Drives: 14
I've used Guidance Software's EnCase and AccessData's FTK
Imager (and some random data recovery applications), all are
unable to read the partition information.  As mentioned
above, I'm just putting some feelers out to discover your
experiences with GPT.  I am mostly interested in reviewing
deleted information (without having to data carve) and
viewing folder structure.  I can provide additional
information if required.
[More messages with this same subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Recovery data after 57+ formats - fact or fiction??, Gavin, Michael
Next by Date:  RE: GUID Partition Table (GPT) Recovery, subscriptions
Previous by Thread:  Re: GUID Partition Table (GPT) Recovery, Brian Carrier
Next by Thread:  RE: GUID Partition Table (GPT) Recovery, subscriptions
Indexes:  [Date] [Thread] [Top] [All Lists]