[sleuthkit-users] Funky Partition Table
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Funky Partition Table
|
From: John T. H. <joh...@gm...> - 2005-03-03 21:49:56
|
---> /usr/local/sleuthkit-1.73/bin/mmls -v -t dos **/images/**.dat
dos_load_prim: Table Sector: 0
load_pri:0:0 Start: 63 Size: 32067 Type: 22
load_pri:0:1 Start: 32130 Size: 112455 Type: 6
load_pri:0:2 Start: 144585 Size: 16305975 Type: 5
dos_load_ext: Table Sector: 144585, Primary Base Sector: 144585
/usr/local/sleuthkit-1.73/bin/mmls: Invalid extended partition table
in sector 144585
---> fdisk -lu **/images/**.dat
Warning: ignoring extra data in partition table 5
Warning: ignoring extra data in partition table 5
Warning: invalid flag 0x4fe0 of partition table 5 will be corrected by w(rite)
Disk **/images/**.dat: 9102 MB, 9102397440 bytes
255 heads, 63 sectors/track, 1106 cylinders, total 17778120 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
**/images/**.dat1 63 32129 16033+ 16 Hidden FAT16
**/images/**.dat2 * 32130 144584 56227+ 6 FAT16
**/images/**.dat3 144585 16450559 8152987+ 5 Extended
**/images/**.dat5 ? 212045 2382538316 1191163136 76 Unknown
That says it all. :) Sort of.
I dd'd this drive (NT4) and went to look at it later, to find it had a
goofed partition table. Unfortunately, I had about six read errors
while imaging on this disk that I bypassed by passing dd the flag
conv=noerror. I can get back to this system if I have to, but if
anyone has any idea what is going on, it'd be nice to not have to go
touch this system again. None of these errors were anywhere near the
partition table of the disk.
So the problem lies in the fact that partition 3 is extended, which,
to my understanding, means partition 5 should be an identical size.
But neither start nor end for partitions 3 or 5 are the same, or
sequential, but instead just overlap.
Manually viewing sectors before or after 144585, 212045, and 16450559
do not appear to contain any special data indicating the start or end
of a partition, either. Any ideas, tools, data I can look for to
identify what is actually on this disk?
|
