sleuthkit-users

[sleuthkit-users] Funky Partition Table

[John T. H. <joh...@gm...>]

---> /usr/local/sleuthkit-1.73/bin/mmls -v -t dos **/images/**.dat
dos_load_prim: Table Sector: 0
load_pri:0:0    Start: 63   Size: 32067  Type: 22
load_pri:0:1    Start: 32130   Size: 112455  Type: 6
load_pri:0:2    Start: 144585   Size: 16305975  Type: 5
dos_load_ext: Table Sector: 144585, Primary Base Sector: 144585
/usr/local/sleuthkit-1.73/bin/mmls: Invalid extended partition table
in sector 144585

---> fdisk -lu **/images/**.dat
Warning: ignoring extra data in partition table 5
Warning: ignoring extra data in partition table 5
Warning: invalid flag 0x4fe0 of partition table 5 will be corrected by w(rite)

Disk **/images/**.dat: 9102 MB, 9102397440 bytes
255 heads, 63 sectors/track, 1106 cylinders, total 17778120 sectors
Units = sectors of 1 * 512 = 512 bytes

               Device Boot      Start         End      Blocks   Id  System
**/images/**.dat1              63       32129       16033+  16  Hidden FAT16
**/images/**.dat2   *       32130      144584       56227+   6  FAT16
**/images/**.dat3          144585    16450559     8152987+   5  Extended
**/images/**.dat5   ?      212045  2382538316  1191163136   76  Unknown


That says it all. :) Sort of.

I dd'd this drive (NT4) and went to look at it later, to find it had a
goofed partition table. Unfortunately, I had about six read errors
while imaging on this disk that I bypassed by passing dd the flag
conv=noerror. I can get back to this system if I have to, but if
anyone has any idea what is going on, it'd be nice to not have to go
touch this system again. None of these errors were anywhere near the
partition table of the disk.

So the problem lies in the fact that partition 3 is extended, which,
to my understanding, means partition 5 should be an identical size.
But neither start nor end for partitions 3 or 5 are the same, or
sequential, but instead just overlap.

Manually viewing sectors before or after 144585, 212045, and 16450559
do not appear to contain any special data indicating the start or end
of a partition, either. Any ideas, tools, data I can look for to
identify what is actually on this disk?

Re: [sleuthkit-users] Funky Partition Table

[Rich T. <te...@ap...>]

John,
See my notes below.


--- "John T. Hoffoss" <joh...@gm...>
wrote:

> ---> /usr/local/sleuthkit-1.73/bin/mmls -v -t dos
> **/images/**.dat
> dos_load_prim: Table Sector: 0
> load_pri:0:0    Start: 63   Size: 32067  Type: 22
> load_pri:0:1    Start: 32130   Size: 112455  Type: 6
> load_pri:0:2    Start: 144585   Size: 16305975 
> Type: 5
> dos_load_ext: Table Sector: 144585, Primary Base
> Sector: 144585
> /usr/local/sleuthkit-1.73/bin/mmls: Invalid extended
> partition table
> in sector 144585
> 
> ---> fdisk -lu **/images/**.dat
> Warning: ignoring extra data in partition table 5
> Warning: ignoring extra data in partition table 5
> Warning: invalid flag 0x4fe0 of partition table 5
> will be corrected by w(rite)
> 
> Disk **/images/**.dat: 9102 MB, 9102397440 bytes
> 255 heads, 63 sectors/track, 1106 cylinders, total
> 17778120 sectors
> Units = sectors of 1 * 512 = 512 bytes
> 
>                Device Boot      Start         End   
>   Blocks   Id  System
> **/images/**.dat1              63       32129      
> 16033+  16  Hidden FAT16
> **/images/**.dat2   *       32130      144584      
> 56227+   6  FAT16
> **/images/**.dat3          144585    16450559    
> 8152987+   5  Extended
> **/images/**.dat5   ?      212045  2382538316 
> 1191163136   76  Unknown
> 
> 
> That says it all. :) Sort of.



 
> So the problem lies in the fact that partition 3 is
> extended, which,
> to my understanding, means partition 5 should be an
> identical size.
> But neither start nor end for partitions 3 or 5 are
> the same, or
> sequential, but instead just overlap.

I don't think this is problem.  I'd have to pull out
some of my parition stuff - but the fact that the
extended 3, and unknown 5 aren't the same shouldn't be
an issue.  Althought I haven't seen this type of drive
set up in a while, I don't ever remember seeing an
extended and its children being the same.  But I might
be wrong.

 
> Manually viewing sectors before or after 144585,
> 212045, and 16450559
> do not appear to contain any special data indicating
> the start or end
> of a partition, either. Any ideas, tools, data I can
> look for to
> identify what is actually on this disk?

Do a search for WINS4.1, when you find it, look at the
hex output for that/those sectors, 3 characters before
the WINS4.1 you should see, in hex, EB - that is the
beginning of your partition.

Also, the master boot record indicated the first
partion started at sector 63.  So, you need to go to
sectors  144647, 212107 for the beginning of those
partitons (the ending sector of the last partition +
63)... they should be there.

See ya,
Rich

Re: [sleuthkit-users] Funky Partition Table

[Brian C. <ca...@sl...>]

Sector 144585 should have a partition table in it for the extended 
partitions, but it does not seem to (it should end with the typical 
0xAA55 magic value).  Was that one of the errors?

The start of partition "5" should typically be 63 sectors after the 
start of the extended partition (which is 144648).  Check that sector 
to see if there is a file system there.  Do you know how many 
partitions there should be on the system?  If you can find a file 
system in 144648, then see how large the file system is, jump to the 
end of the FS and look for another partition table (or jump ahead 63 
more sectors and look for another file system).

Alternatively, you can use a tool like gpart or testdisk to search for 
the starting locations of the file systems.

brian



On Mar 3, 2005, at 4:49 PM, John T. Hoffoss wrote:

> ---> /usr/local/sleuthkit-1.73/bin/mmls -v -t dos **/images/**.dat
> dos_load_prim: Table Sector: 0
> load_pri:0:0    Start: 63   Size: 32067  Type: 22
> load_pri:0:1    Start: 32130   Size: 112455  Type: 6
> load_pri:0:2    Start: 144585   Size: 16305975  Type: 5
> dos_load_ext: Table Sector: 144585, Primary Base Sector: 144585
> /usr/local/sleuthkit-1.73/bin/mmls: Invalid extended partition table
> in sector 144585
>
> ---> fdisk -lu **/images/**.dat
> Warning: ignoring extra data in partition table 5
> Warning: ignoring extra data in partition table 5
> Warning: invalid flag 0x4fe0 of partition table 5 will be corrected by 
> w(rite)
>
> Disk **/images/**.dat: 9102 MB, 9102397440 bytes
> 255 heads, 63 sectors/track, 1106 cylinders, total 17778120 sectors
> Units = sectors of 1 * 512 = 512 bytes
>
>                Device Boot      Start         End      Blocks   Id  
> System
> **/images/**.dat1              63       32129       16033+  16  Hidden 
> FAT16
> **/images/**.dat2   *       32130      144584       56227+   6  FAT16
> **/images/**.dat3          144585    16450559     8152987+   5  
> Extended
> **/images/**.dat5   ?      212045  2382538316  1191163136   76  Unknown