Re: [sleuthkit-users] filesystem recovery using sleuthkit
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] filesystem recovery using sleuthkit
|
From: Brian C. <ca...@sl...> - 2005-02-07 14:06:18
|
On Feb 6, 2005, at 12:53 PM, Linux Tard wrote: > --- Brian Carrier <ca...@sl...> wrote: >> Nope. Magic / sigs are all in the boot sector / >> superblock in the >> first few sectors. The root directory has the same >> structure as a >> normal directory. >> > > QUESTION - what is the magic signature for FAT12/16/32 > and NTFS? I can't find it. So I guess I'm asking > what and where do you look Brian? FAT12/16/32, NTFS, and DOS Partitions all have the same signature value, which is 0x55AA in the last two bytes of the first sector (there are also several data structures within FAT32 that use the same signature). The new autodetect code in v2 first checks the signature value and then checks other values to narrow down NTFS versus FAT, such as valid cluster size and FAT size. FAT and NTFS also have a label in the boot sector that typically contains "FAT12" or "NTFS", but this label is not required to exist or to be accurate, so it isn't a good test. brian |
