Notifications
Clear all

RISC OS Forensics

10 Posts
6 Users
0 Likes
801 Views
(@clever_duck)
Posts: 6
Active Member
Topic starter
 

Hello guys,

Has anyone had any encounters with RISC OS (on the Raspberry Pi)?
I'm just learning about it (part of my Forensic Computing course) and wanted to know if anyone has done any previous work on it?

I had a look at the image on it, Windows only sees a small chunk of a Fat File System and that's it. The Windows does not recognise. It's actually a file system called FileCore. I've opened it in FTK Imager but it's all unallocated clusters. Anyone know anymore on this?

Thanks in advance.

Sam.

 
Posted : 16/04/2014 5:46 pm
(@athulin)
Posts: 1156
Noble Member
 

Has anyone had any encounters with RISC OS (on the Raspberry Pi)?

Several years ago, on the Archimedes platform.

I had a look at the image on it, Windows only sees a small chunk of a Fat File System and that's it. The Windows does not recognise.

Don't expect anything else. After all, it's not listed as supported by Microsoft on their Windows platform, is it? Not do I expect it to be supported by any well-known forensic tool-set.

If you move outside the 'standard' platforms, which essentially are DOS and Windows on x86 platform, Mac and some Unix dialects on 68x and x86, you're very probably on your own.

Though what with Raspberry Pi it may be becoming more interesting …

 
Posted : 16/04/2014 8:01 pm
(@rampage)
Posts: 354
Reputable Member
 

some informations about the filesystem and third party operating systems supporting it

http//en.wikipedia.org/wiki/Advanced_Disc_Filing_System

at the moment i'm not aware of any forensics tool supporting ADFS

 
Posted : 16/04/2014 8:04 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

I have several RasPis.

Have you looked at the firmware loader code?

 
Posted : 16/04/2014 11:27 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Is this the "same" ADFS of Archimedes/RISCOS?
The Linux Kernel has support for it
https://www.riscosopen.org/forum/forums/8/topics/2460?page=1
http//cateee.net/lkddb/web-lkddb/ACORN_PARTITION_ADFS.html
http//www.filecore.net/riscos/public/filetransferlinux.html

jaclaz

 
Posted : 16/04/2014 11:37 pm
(@clever_duck)
Posts: 6
Active Member
Topic starter
 

If you move outside the 'standard' platforms, which essentially are DOS and Windows on x86 platform, Mac and some Unix dialects on 68x and x86, you're very probably on your own.

Yeah it seems like it /

Though what with Raspberry Pi it may be becoming more interesting …

In a forensic point of view, it is very interesting because the OS is so old, but the platform to use it on is relatively new.

at the moment i'm not aware of any forensics tool supporting ADFS

Yeah, Encase sees it as unallocated clusters too (

Have you looked at the firmware loader code?

What kind of firmware loader codes?

Is this the "same" ADFS of Archimedes/RISCOS?
jaclaz

I don't know to be honest. Not looked at that yet.

 
Posted : 17/04/2014 1:29 am
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

If you're unable to find something to parse the filesytsem, how about cloning the SDCard and performing a live exam on the clone?

Also, this sounds like something which, if you point them at the design document, might be included in a point release for X-Ways. Not immediately helpful, I know, but better than nothing )

 
Posted : 17/04/2014 12:32 pm
(@clever_duck)
Posts: 6
Active Member
Topic starter
 

If you're unable to find something to parse the filesytsem, how about cloning the SDCard and performing a live exam on the clone?

I've taken an image of the SD card using Encase and had a look at that, but the issue is that it's showing unallocated clusters. #help lol

Also, this sounds like something which, if you point them at the design document, might be included in a point release for X-Ways.

Point who? Confused lol.

 
Posted : 17/04/2014 2:13 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Haha sorry, should have been more clear. )

I meant clone the SDCard (ie, make a forensic clone onto a spare SDCard you might have lying around), insert this clone into the Pi and power it up. You can then poke about the filesystem.

In terms of "tell who" - X-ways supports an absurd number of filesystems, so if you contacted their customer support and requested ADFS to be added then there is a chance it might be. Well, a higher chance than if you contact Guidance or AccessData. 😉

 
Posted : 17/04/2014 3:23 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Look at the Raspberry Pi website. Look at the source codes and read the material on that site.

You will find the details on both the SD card format, and the code format.

 
Posted : 17/04/2014 5:30 pm
Share: