Re: [sleuthkit-users] Funky Partition Table

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

John,
See my notes below.

--- "John T. Hoffoss" <joh...@gm...>
wrote:

> ---> /usr/local/sleuthkit-1.73/bin/mmls -v -t dos
> **/images/**.dat
> dos_load_prim: Table Sector: 0
> load_pri:0:0    Start: 63   Size: 32067  Type: 22
> load_pri:0:1    Start: 32130   Size: 112455  Type: 6
> load_pri:0:2    Start: 144585   Size: 16305975 
> Type: 5
> dos_load_ext: Table Sector: 144585, Primary Base
> Sector: 144585
> /usr/local/sleuthkit-1.73/bin/mmls: Invalid extended
> partition table
> in sector 144585
> 
> ---> fdisk -lu **/images/**.dat
> Warning: ignoring extra data in partition table 5
> Warning: ignoring extra data in partition table 5
> Warning: invalid flag 0x4fe0 of partition table 5
> will be corrected by w(rite)
> 
> Disk **/images/**.dat: 9102 MB, 9102397440 bytes
> 255 heads, 63 sectors/track, 1106 cylinders, total
> 17778120 sectors
> Units = sectors of 1 * 512 = 512 bytes
> 
>                Device Boot      Start         End   
>   Blocks   Id  System
> **/images/**.dat1              63       32129      
> 16033+  16  Hidden FAT16
> **/images/**.dat2   *       32130      144584      
> 56227+   6  FAT16
> **/images/**.dat3          144585    16450559    
> 8152987+   5  Extended
> **/images/**.dat5   ?      212045  2382538316 
> 1191163136   76  Unknown
> 
> 
> That says it all. :) Sort of.

> So the problem lies in the fact that partition 3 is
> extended, which,
> to my understanding, means partition 5 should be an
> identical size.
> But neither start nor end for partitions 3 or 5 are
> the same, or
> sequential, but instead just overlap.

I don't think this is problem.  I'd have to pull out
some of my parition stuff - but the fact that the
extended 3, and unknown 5 aren't the same shouldn't be
an issue.  Althought I haven't seen this type of drive
set up in a while, I don't ever remember seeing an
extended and its children being the same.  But I might
be wrong.

> Manually viewing sectors before or after 144585,
> 212045, and 16450559
> do not appear to contain any special data indicating
> the start or end
> of a partition, either. Any ideas, tools, data I can
> look for to
> identify what is actually on this disk?

Do a search for WINS4.1, when you find it, look at the
hex output for that/those sectors, 3 characters before
the WINS4.1 you should see, in hex, EB - that is the
beginning of your partition.

Also, the master boot record indicated the first
partion started at sector 63.  So, you need to go to
sectors  144647, 212107 for the beginning of those
partitons (the ending sector of the last partition +
63)... they should be there.

See ya,
Rich