Premium Partner
c2b_default

Bruce Nikkel 4_1_partition_analysis.pdf

Bruce Nikkel 4_1_partition_analysis.pdf

Bruce Nikkel 4_1_partition_analysis.pdf

8
0.0 (0)

Kartei Details

Karten 8
Sprache English
Kategorie Technik
Stufe Universität
Erstellt / Aktualisiert 20.06.2019 / 01.07.2020
Lizenzierung Keine Angabe
Weblink
https://card2brain.ch/box/20190620_bruce_nikkel_41partitionanalysis_pdf
Einbinden
<iframe src="https://card2brain.ch/box/20190620_bruce_nikkel_41partitionanalysis_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>

Why do we have partions on a drive and what are the common partition schemes?

Reason for partitions on a drive:

  • organize storage device into sections containing filesystems
  • partitions are defined in the partition table
  • sometimes called "slices" (BSD / Solaris teminology)

Common Partition schemes:

  • DOS
  • GPT
  • BSD
  • Sun (vtoc)
  • APM (Apple Partition Map)

DOS is the most common, but GPT is growing fast

How can you analyse a partition?

Identify the partition scheme with TSK

  • list supported partitions: mmstat -t list
  • identify partitions scheme: mmstat /dev/sda
  • analyze sector 0 with a hexeditor
  • disktype tool identifies partitions and filesystems

What is NVME drive how does it differ from normal drives?

NVME drives:

  • have "namespaces" that can partition a drive at a lower layer
  • not like a partition table written on disk
  • configuration is done over firmware
  • most consumer NVME drives only have 1 single namespace

What are the characteristics of the DOS partition scheme?

DOS partition scheme:

  • Partition table is defined in sector 0
  • max disk size of 2TB
  • max 4 partitions (and extended)
  • bootable partitions use MBR in sector 0

What are the charecteristics of the GPT partition schemes?

GPT partition scheme:

  • 128 partitions posible
  • max drive size 8 Zetabytes
  • allows for additional meta data about partitions
  • creates a backup partition table at the end of the drive
  • protective mbr in sector zore (type EE)
  • UEFI booting (small FAT patition)

what tools can you use to analyze the partition tables and analize image files?

View partition table of device:

  • fdisk -l /dev/sda
  • disktype /dev/sda
  • mmls /dev/sda (sluethkit)

Analyze image files:

  • fdisk -l image.dd
  • disktype image.dd
  • mmls image.dd

what areas on disk are of forensic intresset that are normaly not accessible and how can you access them?

Areas of forensic intrest:

  • deleted partitions
  • inter-partition gaps
  • partition slack

Searching for deleted partitions:

  • TSK (basic, generic patterns): sigfind -t ext2 /dev/sda
  • gpart /dev/sda
  • gpart -a /dev/sda
  • testdisk -a /dev/sda

Things to note:

  • Filesystems start at som e offset from the start of a drive
  • corrupt or partially overwritten filesystems may need carving
  • a filesystem can exist without a partion table
  • stacked systems may exist (LVM [Logical Volume Management], encryption, RAID) 

-