Flashcards 8 Flashcards
Students 2 Students
Language English
Level University
Created / Updated 20.06.2019 / 01.07.2020
Licencing Not defined
0 Exact answers 8 Text answers 0 Multiple-choice answers
Close window

Why do we have partions on a drive and what are the common partition schemes?

Reason for partitions on a drive:

  • organize storage device into sections containing filesystems
  • partitions are defined in the partition table
  • sometimes called "slices" (BSD / Solaris teminology)

Common Partition schemes:

  • DOS
  • GPT
  • BSD
  • Sun (vtoc)
  • APM (Apple Partition Map)

DOS is the most common, but GPT is growing fast

Close window

How can you analyse a partition?

Identify the partition scheme with TSK

  • list supported partitions: mmstat -t list
  • identify partitions scheme: mmstat /dev/sda
  • analyze sector 0 with a hexeditor
  • disktype tool identifies partitions and filesystems
Close window

What is NVME drive how does it differ from normal drives?

NVME drives:

  • have "namespaces" that can partition a drive at a lower layer
  • not like a partition table written on disk
  • configuration is done over firmware
  • most consumer NVME drives only have 1 single namespace
Close window

What are the characteristics of the DOS partition scheme?

DOS partition scheme:

  • Partition table is defined in sector 0
  • max disk size of 2TB
  • max 4 partitions (and extended)
  • bootable partitions use MBR in sector 0
Close window

What are the charecteristics of the GPT partition schemes?

GPT partition scheme:

  • 128 partitions posible
  • max drive size 8 Zetabytes
  • allows for additional meta data about partitions
  • creates a backup partition table at the end of the drive
  • protective mbr in sector zore (type EE)
  • UEFI booting (small FAT patition)
Close window

what tools can you use to analyze the partition tables and analize image files?

View partition table of device:

  • fdisk -l /dev/sda
  • disktype /dev/sda
  • mmls /dev/sda (sluethkit)

Analyze image files:

  • fdisk -l image.dd
  • disktype image.dd
  • mmls image.dd
Close window

what areas on disk are of forensic intresset that are normaly not accessible and how can you access them?

Areas of forensic intrest:

  • deleted partitions
  • inter-partition gaps
  • partition slack

Searching for deleted partitions:

  • TSK (basic, generic patterns): sigfind -t ext2 /dev/sda
  • gpart /dev/sda
  • gpart -a /dev/sda
  • testdisk -a /dev/sda
Close window

Things to note:

  • Filesystems start at som e offset from the start of a drive
  • corrupt or partially overwritten filesystems may need carving
  • a filesystem can exist without a partion table
  • stacked systems may exist (LVM [Logical Volume Management], encryption, RAID)