±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35965
New Yesterday: 0 Visitors: 114

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Ubuntu partition information

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

mscotgrove
Senior Member
 

Ubuntu partition information

Post Posted: Mar 20, 12 23:37

For testing purposes I often use Ubuntu to create a disk with a certain format, eg Ext3, XFS etc. I do this by using the disk untility to format the disk / memory stick.

However, by default, the Partition ID byte (offset 4 in the partition descriptor) does not appear to be changed. Thus I have a good Reiser disk, but boot sector indicates it is NTFS or FAT32 - what ever the original format was. It is easy to change with the same utility

My question is :

Do members often come across disks that initially look like NTFS/FATxx but are actually a Unix disk?

or am I the only one who makes this mistake?
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 
  

jaclaz
Senior Member
 

Re: Ubuntu partition information

Post Posted: Mar 23, 12 23:46

- mscotgrove

However, by default, the Partition ID byte (offset 4 in the partition descriptor) does not appear to be changed. Thus I have a good Reiser disk, but boot sector indicates it is NTFS or FAT32 - what ever the original format was.

You mean the MBR, right?

NOT an answer to your question, but JFYI.

This seems like also being slightly connected with the talks about "sanitizing" disks before use.

I guess the issue is more "general" than you might expect.

There are AFAIK three "lines of thought" on the matter:
  1. that thinks that Partition Id's are there to identify partitions
  2. that thinks that Partition Id's are there to prevent access to "unaware" OS's and to certain partition types
  3. that thinks that #2 is the right one but since it costs nothing to have Partition ID's coherent with actual filesystems it is a much better choice to "fake" that it must be done and do it.
All DOS/Windows clearly belong to #1 and if you use the format command it will actually use the filesystem determined by the partition ID in the partition table in the MBR, with a few intersting "quirks", an example is here:
reboot.pro/3191/page__st__26

Here is a good example of school of thought #2 (which AFAIK most if not all the good Unix/Linux guys belong to):
homepage.ntlworld.com....-type.html
How partition types (do not) imply filesystem types

Traditionally on PC operating systems, the partition type has been associated with one, and only one, filesystem type. However, this was never the intention, and in practice is true only for a limited number of partition types.

The intention of the partition type was to prevent operating systems from attempting to access, mount, write, or otherwise deal with partitions that they wouldn't know how to deal with (because they would exceed their preconceived notions of how large a disc volume could ever be, for example), or that would extend into areas of the disc that they wouldn't be able to access, or that simply weren't volumes containing files and directories at all.

The idea that the partition type implies the filesystem type is flawed in any case, for one very simple reason: Once a partition has been created with a disc partitioning utility, users can (and do) reformat it with any filesystem type that they like. Most volume formatting tools (i.e. "high-level formatting" tools — mkfs and pals in Unix parlance) operate solely upon the contents of the disc slice concerned. They don't look for, and modify, the disc partition table to ensure that the partition type matches the new filesystem type.


What a partition type does is define which operating systems will attempt to access, mount, write or otherwise deal with the partition, and define the particular detection method that is to be used to determine what filesystem type the volume is actually formatted with.


Which may give you the answer you were looking for. Smile

I personally belong to #3.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

mscotgrove
Senior Member
 

Re: Ubuntu partition information

Post Posted: Mar 24, 12 14:51

Thanks for your thoughts - I tend to count as #1. I have been brought up on DOS.

I also feel that if a byte has a meaning, it should be correct. However, I intend to modify my software to be more sceptical in the future.

I find it odd that Ubuntu (V11.0) does not at least encourage the selection of a suitable Partition ID when formatting a disk. My very brief use of it meant I got it 'wrong' several times.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 
  

jaclaz
Senior Member
 

Re: Ubuntu partition information

Post Posted: Mar 24, 12 21:36

- mscotgrove
Thanks for your thoughts - I tend to count as #1. I have been brought up on DOS.

I also feel that if a byte has a meaning, it should be correct. However, I intend to modify my software to be more sceptical in the future.

I find it odd that Ubuntu (V11.0) does not at least encourage the selection of a suitable Partition ID when formatting a disk. My very brief use of it meant I got it 'wrong' several times.

Yep, the fact is that MS thinks that the partion or volume is part of the disk (and has not it's own autonomy) whilst Unix/Linux think that a volume or filesystem is in itself an object, no matter if on a disk as a partition.
"Everything is a file."

If you were coming from another galaxy (or if you were a cyberacheologist from year 2341) and you found no documentation, but only had access to a number of used PC's and hard disks, and could actually boot and analyze them. once *somehow* find out that that particular byte means "Partition ID" because a value in it correspond to a different kind of filesystem. How would you interpret the data?

If you read between the lines of the commmonly used partition types, see here for a list:
www.win.tue.nl/~aeb/pa...pes-1.html

You could find out:
00 is a "tag" to mean "empty"
02 and 03 are *never* used.
Anything bigger than 0F cannot be mounted by *any* MS Operating System, with the only exception of 42.
And yes, that IS the answer:
en.wikipedia.org/wiki/...g_.2842.29
more in detail, assuming that you find a booting MS-DOS 6.00 or 6.22 or even Dos 7.0 (Win 95) machine, you will find out that it can see only ID's 01, 04, 05 and 06.
If you had a NT 3.5 or 4.00 PC it will be able to do the same but to also access something identified as 07.
Then you may find a 95 OSR2 or 98/Me and you would see how you can get all the way up to 0F (but NOT 07)
Then you may find a PC with any NT based OS (2000 or later) and you would see how this could go all the way up to 0F including 07.
The issue comes quite UNexpectedly with more recent NT based OS that id with the SAME 07 BOTH *something* called NTFS AND *something* called exFAT (or FAT64) Shocked

All your logical analysis and the conclusion that that particular byte represented a partition ID and was connected univocally to a given filesystem would go down the toilet! Exclamation

So, the good MS guys, out of the blue, started to tag TWO different filesystems with the same partition ID! Rolling Eyes

Very Happy

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

mscotgrove
Senior Member
 

Re: Ubuntu partition information

Post Posted: Mar 24, 12 22:53

I agree with almost everything Jaclaz says except--

I think the cyberacheologist would find that the first 100 disks they looked at, 99 had a valid Partition ID (ie their theory was correct), and the last one had failed - ie a 'duff' disk.

One hopes that nobody on this forum would mistake such a disk as 'duff', but I am sure many would. Also, how many software packages would also call the disk 'duff'?
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 
  

jaclaz
Senior Member
 

Re: Ubuntu partition information

Post Posted: Mar 25, 12 02:00

- mscotgrove
I agree with almost everything Jaclaz says except--

I think the cyberacheologist would find that the first 100 disks they looked at, 99 had a valid Partition ID (ie their theory was correct), and the last one had failed - ie a 'duff' disk.

Naaah, most MBR partitioned disks in the (near) future (i.e. the ones that most likely the cyberarcheologist will be able to find) will have - with the exception of a few 0F's - always 07 as partition ID's, and the filesystems on the partition will be either of:
  • NTFS (correct)
  • exFAT (wrong, because of the MS guys)
  • any other Linux filesystem, like ReiserFS or EXT4 (wrong because of the Linux guys)
the (good) news are that mscotgrove won't go anymore in the future history books as "the guy that contributed to this mess" Wink .

- mscotgrove

One hopes that nobody on this forum would mistake such a disk as 'duff', but I am sure many would. Also, how many software packages would also call the disk 'duff'?

I would say many, particularly risky is the usage of "automagical" data recovery or partition recovery apps.

Since you are interested in this rather narrow field, another nice Shocked quirk introduced by the good MS guys:
reboot.pro/9897/
basically the Disk Manager of XP to change a sigle byte from 00 to 80 and viceversa is so "intelligent" to recheck the partition address and size values and if it doesn't like them (i.e. if they don't respect cylinder boundaries like partitions most Windows Vista :ph34r: or Windows 7 will have created) it silently messes with the Partition table in such a way that you may "lose" any number of primary and logical volumes.

BTW, thanks, I just learned a new word "duff":
www.thefreedictionary.com/duff
(though I suspect that should I be invited to Buckingham Palace I should refrain from using it)

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 1