The Sleuth Kit / Bugs / #104 Meta tags not consistent for DOS partitions

#104 Meta tags not consistent for DOS partitions

Status: open

Owner: nobody

Labels: Media Management Tools (7)

Priority: 5

Updated: 2009-08-19

Created: 2009-08-19

Creator: Brian Carrier

Private: No

TSK 3.0 changed the way that it identified unallocated space and added the notion of META volumes. This report identifies a few issues:

- Extended volumes in other extended volumes were not marked as META (but the first extended partition is)
- Should we be marking the Partition Table as Unallocated (currently we do because it is not inside of an explicit partition)
- Should areas inside of extended partitions be considered unallocated even though they are technically allocated to the extended partition.

-------------------
From: mju778@gmail.com
Subject: [sleuthkit-users] bug in mmls 3.01
Date: August 8, 2009 5:28:46 PM EDT
To: sleuthkit-users@lists.sourceforge.net

On my disk. I have 3 primary and one extended partition. In the
extended partition, I have multiple logical volumes. When looking at
the space between logical partitions, mmls version 2.52 shows 1 sector
for the partition table on one line and 62 sectors unallocated on the
next line. This is normal.

However, version 3.01 shows one line (meta) for the partition table,
but no line for the unallocated area. Offsets look strange too (lines
10,11).

Ver 2.52:
05: 00:03 0156312450 0312581807 0156269358 Win95 Extended (0x0F)
06: ----- 0156312450 0156312450 0000000001 Extended Table (#1)
07: ----- 0156312451 0156312512 0000000062 Unallocated
08: 01:00 0156312513 0208844999 0052532487 Win95 FAT32 (0x0C)
09: 01:01 0208845000 0271498499 0062653500 DOS Extended (0x05)
10: ----- 0208845000 0208845000 0000000001 Extended Table (#2)
11: ----- 0208845001 0208845062 0000000062 Unallocated

ver 3.01
05: Meta 0156312450 0312581807 0156269358 Win95 Extended (0x0F)
06: Meta 0156312450 0156312450 0000000001 Extended Table (#1)
07: ----- 0156312450 0156312512 0000000063 Unallocated
08: 01:00 0156312513 0208844999 0052532487 Win95 FAT32 (0x0C)
09: 01:01 0208845000 0271498499 0062653500 DOS Extended (0x05)
10: Meta 0208845000 0208845000 0000000001 Extended Table (#2)
11: 02:00 0208845063 0271498499 0062653437 Linux (0x83)

Discussion

Brian Carrier - 2009-08-19

Resolved first issue of extended partitions not being marked as META.

Sending trunk/CHANGES.txt
Sending trunk/man/mmls.1
Sending trunk/tsk3/vs/dos.c
Transmitting file data ...
Committed revision 105.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Meta tags not consistent for DOS partitions

Group

Searches

Help

#104 Meta tags not consistent for DOS partitions

Discussion