Bruce Nikkel 4_1_partition_analysis.pdf
Bruce Nikkel 4_1_partition_analysis.pdf
Bruce Nikkel 4_1_partition_analysis.pdf
Set of flashcards Details
Flashcards | 8 |
---|---|
Language | English |
Category | Technology |
Level | University |
Created / Updated | 20.06.2019 / 01.07.2020 |
Licencing | Not defined |
Weblink |
https://card2brain.ch/box/20190620_bruce_nikkel_41partitionanalysis_pdf
|
Embed |
<iframe src="https://card2brain.ch/box/20190620_bruce_nikkel_41partitionanalysis_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
Why do we have partions on a drive and what are the common partition schemes?
Reason for partitions on a drive:
- organize storage device into sections containing filesystems
- partitions are defined in the partition table
- sometimes called "slices" (BSD / Solaris teminology)
Common Partition schemes:
- DOS
- GPT
- BSD
- Sun (vtoc)
- APM (Apple Partition Map)
DOS is the most common, but GPT is growing fast
How can you analyse a partition?
Identify the partition scheme with TSK
- list supported partitions: mmstat -t list
- identify partitions scheme: mmstat /dev/sda
- analyze sector 0 with a hexeditor
- disktype tool identifies partitions and filesystems
What is NVME drive how does it differ from normal drives?
NVME drives:
- have "namespaces" that can partition a drive at a lower layer
- not like a partition table written on disk
- configuration is done over firmware
- most consumer NVME drives only have 1 single namespace
What are the characteristics of the DOS partition scheme?
DOS partition scheme:
- Partition table is defined in sector 0
- max disk size of 2TB
- max 4 partitions (and extended)
- bootable partitions use MBR in sector 0
What are the charecteristics of the GPT partition schemes?
GPT partition scheme:
- 128 partitions posible
- max drive size 8 Zetabytes
- allows for additional meta data about partitions
- creates a backup partition table at the end of the drive
- protective mbr in sector zore (type EE)
- UEFI booting (small FAT patition)
what tools can you use to analyze the partition tables and analize image files?
View partition table of device:
- fdisk -l /dev/sda
- disktype /dev/sda
- mmls /dev/sda (sluethkit)
Analyze image files:
- fdisk -l image.dd
- disktype image.dd
- mmls image.dd
what areas on disk are of forensic intresset that are normaly not accessible and how can you access them?
Areas of forensic intrest:
- deleted partitions
- inter-partition gaps
- partition slack
Searching for deleted partitions:
- TSK (basic, generic patterns): sigfind -t ext2 /dev/sda
- gpart /dev/sda
- gpart -a /dev/sda
- testdisk -a /dev/sda
Things to note:
- Filesystems start at som e offset from the start of a drive
- corrupt or partially overwritten filesystems may need carving
- a filesystem can exist without a partion table
- stacked systems may exist (LVM [Logical Volume Management], encryption, RAID)
-