Re: [sleuthkit-developers] mmls mis-feature?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hey Michael,

I've been adjusting these types of checks.  As you can see in the  
code, there used to be a check that the partition ended in the image,  
now it just checks that it starts in the image. The main motivation  
for this was as a sanity check and to detect when 'mmls' is being run  
on a FAT superblock versus a DOS partition table (since they share  
the same 2 byte magic value). The problem is that the only way to  
'detect' a DOS partition table is to check the two magic bytes and  
then do some sanity checks on the partition table content.   Since  
CHS values do not really work for current disks, that leaves only the  
LBA values and partition type.

The problem arises specifically when you have a tool that takes both  
disk and volume images as input. First you may try to use mm_open to  
see if there is a volume system.  If that fails, then you would want  
to try fs_open to see if there is a known file system.  If the DOS  
code is more liberal with its checks, then FAT file systems could be  
easily detected as DOS partition tables and the results would be  
garbage.

Perhaps the requirement could be:
- At least one partition must start in the image file.  It can end  
outside of the image file (This is currently supported).
- A partition can start and end outside of the image file if it  
starts within X sectors of the end of another partition.

I just changed some of the file system code to deal with a similar  
problem.  There is now a last_block_act value in FS_INFO that reports  
the actual last block of the file system versus the reported last  
block.  They are different if the image is corrupt or partial. Maybe  
I need something similar for the MM_PART structure.

brian

On Sep 11, 2007, at 7:08 AM, Michael Cohen wrote:

> Hi List,
>   I tried to use mmls today on a truncated disk image and received an
> error that the partition table was invalid. This was despite the fact
> that sfdisk and disktype successfully printed the partition table. I
> looked into it and saw this kind of code, e.g. dos.c:
>
> DADDR_T max_addr = (mm->img_info->size - mm->offset) / mm->block_size;
>
> and
>
> if (part_start > max_addr) {
>             tsk_error_reset();
>             tsk_errno = TSK_ERR_MM_BLK_NUM;
>             snprintf(tsk_errstr, TSK_ERRSTR_L,
>                 "dos_load_prim_table: Starting sector too large for  
> image");
>             if (tsk_verbose)
>                 tsk_fprintf(stderr,
>                     "Starting sector %" PRIu32 " too large for image 
> \n",
>                     part_start);
>
>             return 1;
>         }
>
> The problem is that some of the later partitions of course fall  
> past the end of
> the truncated image. In this case I get no output at all, and it  
> errors out
> altogether.
>
> I wonder if its better to either change the error to a warning or  
> leave this
> error check altogether - whats the point of it? I kind of expected  
> mmls to tell
> me what the partition table says - its irrelevant that its not  
> exactly expected
> from the image. I would have expected to at least be told something  
> about the
> earlier partitions that can possibly fall in this image.
>
> Thanks,
> Michael.
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers