Partition table is not detected if the flash drive was initally formatted on...
Brought to you by:
carrier
Menu
▾
▴
1 Attachments
#213 Partition table is not detected if the flash drive was initally formatted on MAC, and then reformatted in Windows
We have a flash drive, which was formatted on Mac, and the it was reformatted in Windows to NTFS. It has a MAC signature in a second sector, Windows can see this drive partitions without any problem and TSK detects it incorrectly.
mmls reports:
Cannot determine partition type (Mac or DOS at 0)
mmls -v gives:
tsk_img_open: Type: 0 NumImg: 1 Img1: d:\tosh.e01
ewf_open: found 1 segment files via libewf_glob
dos_load_prim: Table Sector: 0
ewf_image_read: byte offset: 0 len: 65536
dos_load_prim_table: Testing FAT/NTFS conditions
load_pri:0:0 Start: 63 Size: 15148161 Type: 7
load_pri:0:1 Start: 0 Size: 0 Type: 0
load_pri:0:2 Start: 0 Size: 0 Type: 0
load_pri:0:3 Start: 0 Size: 0 Type: 0
bsd_load_table: Table Sector: 1
gpt_load_table: Sector: 0
gpt_open: Trying other sector sizes
gpt_open: Trying sector size: 512
gpt_load_table: Sector: 0
gpt_open: Trying sector size: 1024
gpt_load_table: Sector: 0
gpt_open: Trying sector size: 2048
gpt_load_table: Sector: 0
gpt_open: Trying sector size: 4096
gpt_load_table: Sector: 0
gpt_open: Trying sector size: 8192
gpt_load_table: Sector: 0
sun_load_table: Trying sector: 0
sun_load_table: Trying sector: 1
mac_load_table: Sector: 1
mac_load: 0 Starting Sector: 0 Size: 0 Type: Status: 0
Cannot determine partition type (Mac or DOS at 0)
It's Windows 7, TSK 4.1.2
I'm attaching the first two sectors of the drive.
The problem is that the drive now has two partition tables and the volume system-level code doesn't know if the DOS one (WIndows) was created first or if the MAC one was (because they don't fully overlap). If TSK guessed one of them (which some other tools do), this would be a data hiding technique to put the data in the partitions in the other volume system.
You can get around this on the command line by specifying the partition type:
mmls -t dos IMAGE
I gave this example with mmls tool, just to make sure you can reproduce the problem.
Actually we're using TSK source code to detect the filesystem type on the drive. So the real problem is in tsk_vs_mac_open() which is called from tsk_vs_open(). We know how to fix it in the code, but it was the first we faced such drive, and we thought that you may have more experience of such cases. And know how to fix it properly.