a list of known partition types
Partition types: List of partition identifiers for PCs
https://www.win.tue.nl/~aeb/partitions/partition_types-1.htmlSome common Linux partition types you might fnd are:
0x83 Linux
0x85 Linux extended
0x82 Linux swap
0x8E Linux LV
0xE8 LUKS (Linux Unifed Key Setup)
0xFD Linux RAID auto
A DOS partition table entry allocates one byte for the partition type.
A GPT partition table entry allocates 16 bytes for the partition GUID.
The Linux Discoverable Partitions Specifcation
Discoverable Partitions Specificationhttps://systemd.io/DISCOVERABLE_PARTITIONS/systemd-id128(1) man page about listing known GUIDs with the systemd-id128 show command
名词解释:
NVM Express(NVMe),或称非易失性内存主机控制器接口规范(英语:Non Volatile Memory Host Controller Interface Specification,缩写:NVMHCIS),是一个逻辑设备接口>规范。它是与AHCI类似的、基于设备逻辑接口的总线传输协议规范(相当于通讯协议中的应
用层),用于访问通过PCI Express(PCIe)总线附加的非易失性存储器介质(例如采用闪>存的固态硬盘驱动器),虽然理论上不一定要求 PCIe 总线协议。
/dev/sda, /dev/sdb, /dev/sdc, . . .
/dev/nvme0n1, /dev/nvme1n1, . . .
/dev/mmcblk0, mmcblk1, . . .
SATA and SAS drives are represented alphabetically (sda, sdb, sdc, . . .). NVMe drives are
represented numerically; the frst number is the drive, and the second n number is the namespace.4 SD cards are also represented numerically (mmcblk0, mmcblk1, . . .)
analyze Linux partition tables tools
识别文件系统:use other tools such as disktype or TSK’s fsstat to identify a flesystem.
mmls (from TSK) and disktype.
mmls image.raw
The UEFI specifcation describes the EFI GUID format in detail
https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf
LVM取证
sudo pvdisplay --maps --foreign --readonly
sudo lvdisplay --maps --foreign --readonly
The --foreign flag includes volumes that would normally be skipped and
--readonly reads data directly from the disk (ignoring the kernel device mapper driver):
The --maps flag provides additional details about the segments and extents:
sudo fsstat -o 10489856 /dev/sdc
The TSK command fsstat provides information about filesystems.
Each device from a Linux RAID system has a superblock (not to be con
fused with filesystem superblocks, which are different) that contains infor
mation about the device and the array. The default location of the
md superblock on a modern Linux RAID device is eight sectors from the start
of the partition. We can identify it by the magic string 0x A92B4EFC. You
can examine this superblock information with a hex editor or the
mdadm command, as follows:
When a fle is deleted, it is unlinked and the inode and associated data blocks are fagged as unallocated and free to use. On magnetic disk drives, the deleted file’s data continues to reside on the platters until the blocks are overwritten, meaning data can be recovered by forensic tools. On SSDs, the operating system may send a command (TRIM or DISCARD) to the drive firmware,instructing it to erase the data in preparation for the next write.7 This reduces the chance of deleted data recovery from unallocated areas of SSDs.
These examples use basic math or TSK tools to answer the following questions:
I know the drive sector. What is the filesystem block? (sector - partitionoffset) * sectorsize / blocksize
I know the flesystem block. At what sector is it located? (block * blocksize / sectorsize) + partitionoffset
Is this flesystem block (123) allocated? blkstat partimage.raw 123
I know an allocated block (456). What is the inode? ifind -d 456 partimage.raw
I know a fle’s inode. Show the fle’s metadata (and blocks used): istat partimage.raw 789
I know a fle’s inode. What is the flename? ffind partimage.raw 789
I know the flename. What is the inode? ifind -n "hello.txt" partimage.raw
# fdisk -l
Disk /dev/cciss/c0d0: 146.7 GB, 146778685440 bytes
255 heads, 63 sectors/track, 17844 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
heads/sectors/cylinders,分别就是磁头/扇区/柱面,每个扇区512byte(现在新的硬盘每个扇区有4K)了
硬盘容量就是heads*sectors*cylinders*512=255*63*17844*512=146771896320b=146.7G
注意:硬盘的最小存储单位就是扇区了,而且硬盘本身并没有block和cluster的概念。
硬盘通常由重叠的一组盘片构成,每个盘面都被划分为数目相等的磁道,并从外缘的“0”开始编号,具有相同编号的磁道形成一个圆柱,称之为磁盘的柱面。磁盘的柱面数与一个盘面上的磁道数是相等的。由于每个盘面都有自己的磁头,因此,盘面数等于总的磁头数。 如下图
由于扇区的空间比较小且数目众多,在寻址时比较困难,所以操作系统就将多个的扇区组合
在一起,形成一个更大的单位,再对这个单位进行整体的操作。这个单位,在Windows下,FAT,FAT32和NTFS 文件系统中叫做簇(cluster);在Linux下如Ext4等文件系统中叫做块(
block)。每个簇或者块可以包括2、4、8、16、32、64…2的n次方个扇区。
use TSK’s fls tool to list all known fles (including deleted fles) on a flesystem
the -r fag lists fles from all directories recursively, and -p displays a full path (the -l fag would include timestamps, size, and ownership).
fls -r -p partimage.raw
The Linux-relevant8 fle types are documented on the TSK wiki and shown here:
r/r Regular fle
d/d Directory
c/c Character device
b/b Block device
l/l Symbolic link
p/p Named FIFO
h/h Socket
use TSK commands to extract content from the flesystem. Here are a few examples:
Extract a fle based on inode number (use -s to include slack): icat partimage.raw 1234
Extract a fle based on flename (use -s to include slack): fcat hello.txt /dev/sda1
Extract flesystem blocks (with offset and number of blocks): blkcat partimage.raw 56789 1
Extract all unallocated flesystem blocks: blkls partimage.raw
Extract all fle slackspace (from allocated blocks): blkls -s partimage.raw
Extract one drive sector with dd (increment count for more sectors): dd if=image.raw skip=12345 count=1
all the TSK commands by analysis or extraction function here:
Forensic images: img_cat, img_stat
Partitions: mmcat, mmls, mmstat
Filesystem information: fsstat, pstat
Filesystem blocks: blkcalc, blkcat, blkls, blkstat
Filenames: fcat, ffind, fls, fiwalk
Inodes: icat, ifind, ils, istat
Timelines: mactime, tsk_gettimes
Search and sort: sigfind, sorter, srch_strings, tsk_comparedir, tsk_loaddb, tsk_recover, hfind
Filesystem journal: jcat, jls, usnjls
扫一扫
598
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
