Sunday, April 13, 2014

Basic Volume Information


So lets take a look at some of the basic tools provided by the Sleuth Kit for dealing with the analysis of partitions.  These tools start with "mm-" and include mmls, mmcat, and mmstat.  These tools can be used on a physical disk, raw disk image, or an Expert Witness File Format (E01) disk image (even if it is not mounted).  Each of these commands will provide us with some important information regarding the volumes or partitions on this device.

The first thing we need to know if what type of partition table we are working with.  There are multiple types of partition tables that exist Master Boot Record (MBR or DOS) and GUID Partition Table (GPT or EFI) are the two most common.  Others are Mac Partition Table (MAC), BSD Disk Label (BSD), and Sun Volume Table of Contents (or SUN).  To determine the type of partitioning table used during the initialization of the disk we will use the mmstat command.

$ mmstat nps-2008-jean.E01

dos

If you are unsure of what the output means you can always reference the program itself for help.

$ mmstat
Missing image name
mmstat [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] [-t vstype] image [images]
-t vstype: The volume system type (use '-t list' for list of supported types)
-i imgtype: The format of the image file (use '-i list' for list of supported types)
-b dev_sector_size: The size (in bytes) of the device sectors
-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)
-v: verbose output

-V: print the version

You can see that layout that the command is supposed to have and some of the options that you can use with the command.  One option is to list the supported volume system type like so:

$ mmstat -t list
Supported partition types:
dos (DOS Partition Table)
mac (MAC Partition Map)
bsd (BSD Disk Label)
sun (Sun Volume Table of Contents (Solaris))

gpt (GUID Partition Table (EFI))

Next lets take a look at the mmls command because, with any case, if you don't know anything about the partitions on a disk you may not be able to access the data contained inside of it.  When we run the mmls command against our test image like so:

$ mmls nps-2008-jean.E01

This is the output that we receive.

DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000000062   0000000063   Unallocated
02:  00:00   0000000063   0020948759   0020948697   NTFS (0x07)
03:  -----   0020948760   0020971519   0000022760   Unallocated

As you can see this command provides us with the partition table of the disk.  We can see that there is an NTFS partition starting at sector 63 and ending at sector 20948759.  Prior to that there is a portion of the disk that is "Unallocated" and also immediately following the NTFS partition there is a section that is "Unallocated".  If we add a -B to the command we will see the estimated volume size making it easy to identify which volumes contain the most data or if a volume has been deleted (leaving a large amount of Unallocated space.

$ mmls -B nps-2008-jean.E01
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Size    Description
00:  Meta    0000000000   0000000000   0000000001   0512B   Primary Table (#0)
01:  -----   0000000000   0000000062   0000000063   0031K   Unallocated
02:  00:00   0000000063   0020948759   0020948697   0009G   NTFS (0x07)
03:  -----   0020948760   0020971519   0000022760   0011M   Unallocated

No comments:

Post a Comment