Hi Stewart
The "mmls" output resolves as follows (if my math is correct):
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
<-----------> Primary Partition Table
01: ----- 0000000001 0000000062 0000000062 Unallocated
<------------------> Unallocated clusters (Very small - Probably empty)
02: 00:00 0000000063 0008193149 0008193087 Win95 FAT32 Hidden (0x1B)
<----> Approx 4 GiB (Manufacturers Recovery Partition)
03: 00:01 0008193150 0148842224 0140649075 Win95 FAT32 (0x0C)
<-----------> Approx 67 GiB Data Partition
04: 00:02 0148842225 0234436544 0085594320 Win95 Extended (0x0F)
<--------> Approx 40 GiB Extended Partition
05: ----- 0148842225 0148842225 0000000001 Extended Table(#1)
<-----------> Extended Partition Table
06: ----- 0148842226 0148842287 0000000062 Unallocated
<------------------> Unallocated Clusters (Very small - Probably empty)
07: 01:00 0148842288 0234436544 0085594257 Win95 FAT32 (0x0B)
<-----------> Approx 40 GiB Data Partition
08: ----- 0234436545 0488397167 0253960623 Unallocated
<------------------> Approx 121 GiB Unallocated Clusters
I must say that I am a little confused by all the references to FAT32 as I
understood that you started with an NTFS formatted drive and used "fdisk" to
format as ext3? Have I got this right? I've not got your original posts so
perhaps you can refresh my memory at some stage.
The output above shows what appears to be a standard manufacturer disk
configuration which contains an OEM recovery partition (02:), one primary
partition (03:) and an extended partition containing one further data partition
(07:). The relatively large "Unallocated Clusters" area is not unusual.
The obvious place to start is to run some carving tools across the two data
partitions (03: and 07:). There are three popular ones which I would suggest
you read up on:
PhotoRec;
Foremost;
Scalpel.
For completeness I would suggest running all three tools across each of the two
data partitions and then sift the results. You can do this either from your
restored drive or from a the forensic image (image.raw I think we referred to
it as). You can also split out the partitons using "dcfldd" if you want to
using the byte counts from the "mmls" output. Like so:
dcfldd if=image.raw of=partition_03.raw bs=512 skip=0008193150 count=0140649075
conv=noerror,sync,notrunc
This command will start the copy from the starting sector of partition 03: for
a length of 0140649075 bytes (67 (ish) GiB). You can then run your carving
tools on the resulting image file, which has the obvious benefit of being
smaller than the whole drive. Just repeat with the relative offsets for the
other partitions/s.
Dependant on your results, you can try the same procedure on the "Unallocated
Clusters" area as a mopping up operation.
When I mentioned "piping sectors through strings" I was really talking in terms
of using the method as a scoping tool in an attempt to see if any human
readable data still existed on the disk. It is often worth calculating the
offsets for say a GiB of of data and then piping that data through strings to
see what appears. Documents such as "rtf, doc and txt" will really stand out if
they are present. As a last resort you can write the output to a text file and
then copy and paste the plain text into a new document. As someone pointed out,
very labour intensive but then it depends on how important your documents are
to you!
I hope this gets you a bit further along.
Regards
Stu
________________________________
From: Stewart Robertson <stewar...@aliencamel.com>
To: Peterborough LUG - No commercial posts <peterboro@mailman.lug.org.uk>
Sent: Wed, 23 December, 2009 17:05:06
Subject: Re: [Peterboro] NTFS formatted as ext3
> Once you have the image. it would be useful if at some stage you
>could install "sleuthkit":
>
> sudo apt-get install sleuthkit
>
> and then post the results of running:
>
> mmls image.raw
ubu...@ubuntu:~$ sudo mmls /dev/sda
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000001 0000000062 0000000062 Unallocated
02: 00:00 0000000063 0008193149 0008193087 Win95 FAT32 Hidden
(0x1B)
03: 00:01 0008193150 0148842224 0140649075 Win95 FAT32 (0x0C)
04: 00:02 0148842225 0234436544 0085594320 Win95 Extended
(0x0F)
05: ----- 0148842225 0148842225 0000000001 Extended Table
(#1)
06: ----- 0148842226 0148842287 0000000062 Unallocated
07: 01:00 0148842288 0234436544 0085594257 Win95 FAT32 (0x0B)
08: ----- 0234436545 0488397167 0253960623 Unallocated
I'd love to be able to say that means something to me but
unfortunately I can't.
The partition I sacrificed was about 72GB if that helps.
I ran GetDataBack and recovered some documents but not loads compared
to what was on there. There were a lot more files retrieved but were
corrupted - I'm assuming that's because she never de-fragments her
drive.
I've imaged the drive and sacrificed my custom Arch install on a
'play' machine by using the image to recreate the whole laptop drive
on to it (before I had just created separate partitions).
I've also run:
dd if=/dev/sda bs=512 skip=63 count=1 | xxd
I saw a lot of random stuff with the occasional recognised word (I've
put a copy at the bottom in case anyone else is interested). While
looking around the drive I noticed that some of the outputs were all
zeros (except the numbers down the side) so I assume that means that's
an empty part of the drive.
It was mentioned that I should 'pipe a few sectors through stings'.
I've had a quick search but am not particularly sure what that means
- can you give any further clues?
Finally, can you point me in the right direction for 'carving out a
file in a readable format'.
Cheers,
Stewart
ubu...@ubuntu:~$ sudo dd if=/dev/sda bs=512 skip=63 count=1 | xxd
1+0 records in
1+0 records out
512 bytes (512 B) copied, 0.000237401 s, 2.2 MB/s
0000000: eb58 904d 5344 4f53 352e 3000 0208 2400 .X.MSDOS5.0...$.
0000010: 0200 0000 00f8 0000 3f00 ff00 3f00 0000 ........?...?...
0000020: 3804 7d00 321f 0000 0000 0000 0200 0000 8.}.2...........
0000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................
0000040: 8000 2962 6881 444e 4f20 4e41 4d45 2020 ..)bh.DNO NAME
0000050: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4 FAT32 3.....
0000060: 7b8e c18e d9bd 007c 884e 028a 5640 b408 {......|.n...@..
0000070: cd13 7305 b9ff ff8a f166 0fb6 c640 660f ..s......f...@f.
0000080: b6d1 80e2 3ff7 e286 cdc0 ed06 4166 0fb7 ....?.......Af..
0000090: c966 f7e1 6689 46f8 837e 1600 7538 837e .f..f.F..~..u8.~
00000a0: 2a00 7732 668b 461c 6683 c00c bb00 80b9 *.w2f.F.f.......
00000b0: 0100 e82b 00e9 4803 a0fa 7db4 7d8b f0ac ...+..H....}.}...
00000c0: 84c0 7417 3cff 7409 b40e bb07 00cd 10eb ..t.<.t..........
00000d0: eea0 fb7d ebe5 a0f9 7deb e098 cd16 cd19 ...}....}.......
00000e0: 6660 663b 46f8 0f82 4a00 666a 0066 5006 f`f;F...J.fj.fP.
00000f0: 5366 6810 0001 0080 7e02 000f 8520 00b4 Sfh.....~.... ..
0000100: 41bb aa55 8a56 40cd 130f 821c 0081 fb55 a.....@........u
0000110: aa0f 8514 00f6 c101 0f84 0d00 fe46 02b4 .............F..
0000120: 428a 5640 8bf4 cd13 b0f9 6658 6658 6658 b...@......fxfxfx
0000130: 6658 eb2a 6633 d266 0fb7 4e18 66f7 f1fe fX.*f3.f..N.f...
0000140: c28a ca66 8bd0 66c1 ea10 f776 1a86 d68a ...f..f....v....
0000150: 5640 8ae8 c0e4 060a ccb8 0102 cd13 6661 v...@............fa
0000160: 0f82 54ff 81c3 0002 6640 490f 8571 ffc3 ...t......@i..q..
0000170: 4e54 4c44 5220 2020 2020 2000 0000 0000 NTLDR .....
0000180: 0000 0000 0000 0000 0000 0000 0000 0000 .................
0000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001a0: 0000 0000 0000 0000 0000 0000 0d0a 5265 ..............Re
00001b0: 6d6f 7665 2064 6973 6b73 206f 7220 6f74 move disks or ot
00001c0: 6865 7220 6d65 6469 612e ff0d 0a44 6973 her media....Dis
00001d0: 6b20 6572 726f 72ff 0d0a 5072 6573 7320 k error...Press
00001e0: 616e 7920 6b65 7920 746f 2072 6573 7461 any key to resta
00001f0: 7274 0d0a 0000 0000 00ac cbd8 0000 55aa rt............U.
_______________________________________________
Peterboro mailing list
Peterboro@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/peterboro
_______________________________________________
Peterboro mailing list
Peterboro@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/peterboro
