Re: [Peterboro] NTFS formatted as ext3

Stewart Robertson Wed, 23 Dec 2009 09:05:15 -0800

> Once you have the image. it would be useful if at some stage you 
>could install "sleuthkit":
> 
> sudo apt-get install sleuthkit
> 
> and then post the results of running:
> 
> mmls image.raw


ubu...@ubuntu:~$ sudo mmls /dev/sda
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000001   0000000062   0000000062   Unallocated
02:  00:00   0000000063   0008193149   0008193087   Win95 FAT32 Hidden 
(0x1B)
03:  00:01   0008193150   0148842224   0140649075   Win95 FAT32 (0x0C)
04:  00:02   0148842225   0234436544   0085594320   Win95 Extended 
(0x0F)
05:  -----   0148842225   0148842225   0000000001   Extended Table 
(#1)
06:  -----   0148842226   0148842287   0000000062   Unallocated
07:  01:00   0148842288   0234436544   0085594257   Win95 FAT32 (0x0B)
08:  -----   0234436545   0488397167   0253960623   Unallocated

I'd love to be able to say that means something to me but 
unfortunately I can't.

The partition I sacrificed was about 72GB if that helps.

I ran GetDataBack and recovered some documents but not loads compared 
to what was on there.  There were a lot more files retrieved but were 
corrupted - I'm assuming that's because she never de-fragments her 
drive.

I've imaged the drive and sacrificed my custom Arch install on a 
'play' machine by using the image to recreate the whole laptop drive 
on to it (before I had just created separate partitions).

I've also run:

dd if=/dev/sda bs=512 skip=63 count=1 | xxd

I saw a lot of random stuff with the occasional recognised word (I've 
put a copy at the bottom in case anyone else is interested).  While 
looking around the drive I noticed that some of the outputs were all 
zeros (except the numbers down the side) so I assume that means that's 
an empty part of the drive.

It was mentioned that I should 'pipe a few sectors through stings'. 
 I've had a quick search but am not particularly sure what that means 
- can you give any further clues?

Finally, can you point me in the right direction for 'carving out a 
file in a readable format'.

Cheers,

Stewart



ubu...@ubuntu:~$ sudo dd if=/dev/sda bs=512 skip=63 count=1 | xxd
1+0 records in
1+0 records out
512 bytes (512 B) copied, 0.000237401 s, 2.2 MB/s
0000000: eb58 904d 5344 4f53 352e 3000 0208 2400  .X.MSDOS5.0...$.
0000010: 0200 0000 00f8 0000 3f00 ff00 3f00 0000  ........?...?...
0000020: 3804 7d00 321f 0000 0000 0000 0200 0000  8.}.2...........
0000030: 0100 0600 0000 0000 0000 0000 0000 0000  ................
0000040: 8000 2962 6881 444e 4f20 4e41 4d45 2020  ..)bh.DNO NAME
0000050: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4    FAT32   3.....
0000060: 7b8e c18e d9bd 007c 884e 028a 5640 b408  {......|.n...@..
0000070: cd13 7305 b9ff ff8a f166 0fb6 c640 660f  ..s......f...@f.
0000080: b6d1 80e2 3ff7 e286 cdc0 ed06 4166 0fb7  ....?.......Af..
0000090: c966 f7e1 6689 46f8 837e 1600 7538 837e  .f..f.F..~..u8.~
00000a0: 2a00 7732 668b 461c 6683 c00c bb00 80b9  *.w2f.F.f.......
00000b0: 0100 e82b 00e9 4803 a0fa 7db4 7d8b f0ac  ...+..H...}.}...
00000c0: 84c0 7417 3cff 7409 b40e bb07 00cd 10eb  ..t.<.t.........
00000d0: eea0 fb7d ebe5 a0f9 7deb e098 cd16 cd19  ...}....}.......
00000e0: 6660 663b 46f8 0f82 4a00 666a 0066 5006  f`f;F...J.fj.fP.
00000f0: 5366 6810 0001 0080 7e02 000f 8520 00b4  Sfh.....~.... ..
0000100: 41bb aa55 8a56 40cd 130f 821c 0081 fb55  a.....@........u
0000110: aa0f 8514 00f6 c101 0f84 0d00 fe46 02b4  .............F..
0000120: 428a 5640 8bf4 cd13 b0f9 6658 6658 6658  b...@......fxfxfx
0000130: 6658 eb2a 6633 d266 0fb7 4e18 66f7 f1fe  fX.*f3.f..N.f...
0000140: c28a ca66 8bd0 66c1 ea10 f776 1a86 d68a  ...f..f....v....
0000150: 5640 8ae8 c0e4 060a ccb8 0102 cd13 6661  v...@............fa
0000160: 0f82 54ff 81c3 0002 6640 490f 8571 ffc3  ..t......@i..q..
0000170: 4e54 4c44 5220 2020 2020 2000 0000 0000  NTLDR      .....
0000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001a0: 0000 0000 0000 0000 0000 0000 0d0a 5265  ..............Re
00001b0: 6d6f 7665 2064 6973 6b73 206f 7220 6f74  move disks or ot
00001c0: 6865 7220 6d65 6469 612e ff0d 0a44 6973  her media....Dis
00001d0: 6b20 6572 726f 72ff 0d0a 5072 6573 7320  k error...Press
00001e0: 616e 7920 6b65 7920 746f 2072 6573 7461  any key to resta
00001f0: 7274 0d0a 0000 0000 00ac cbd8 0000 55aa  rt............U.

_______________________________________________
Peterboro mailing list
Peterboro@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/peterboro

Re: [Peterboro] NTFS formatted as ext3

Reply via email to