accessing hidden partitions

I've tried using testdisk and it detects 2 partitons on each disk, but I know there are more than that. The partitions found are quite useless and I know there must be a boot partition. I've tried changing the disk geometry but this hasn't helped.

No.

Meaning that there is NO real need on a Linux system to have a "boot partition" (in the sense of a primary partition set "active" in the MBR partition table), of course it depends on the bootloader/bootmanager used, but most Linux system use GRUB or GRUB2 that need this not.

How EXACTLY do you know there "are more" partitions?

Can you provide some more background?

Instead of what you posted, post the TESTDISK log.

jaclaz

I have two disks. They're both bootable and run Linux. When I physically mount the disks, I can see scsi devices get added. /dev/sdb and /dev/sdc. However the partitions are not detected. I can't see for example /dev/sdb1. It seems like someone has gone into a lot of effort to hide the partitons but I don't know how.

Not sure if I miss something here, but you either do the mounting yourself (in which case you are responsible for identifying the partitions), or you leave it to an automounter.

If you mounted the disks yourself, how did you do that? Where did you get the info from? Are you sure you did it the right way?

I've tried using testdisk and it detects 2 partitons on each disk, but I know there are more than that.

Why did you go for testdisk?

If the disks are bootable … why not use the ordinary partitioning tool? Or is there something wrong so that you have to go for data recovery tools? Is *that* the reason why you're having problem – if it is, don't expect partitions to be easy to identify.

How can I work out how they've been hidden and any suggestions on how to unhide them so that we can mount those other partitons?

What have you tried? 'fdisk -l /dev/sda' ? DIsktype? Or gparted or something like that?

Mar 27 124411 (none) user.warn kernel custom_partition sda partition 4 exceeds device capacity using largest possible size reduced from 5120000 to 4259840

Looks like there's something seriously wrong there – how did that happen? You can't expect that volume to mount cleanly. That's not a healthy disk.

Mar 27 124411 (none) user.info kernel sdb unknown partition table

And looks like there's something seriously wrong there as well.

Didn't those errors mean anything to you? Or perhaps I misinterpret – I thought you were a forensic analyst with a couple of puzzling disks. But I'm wrong, amn't I?

I have a feeling that it's not encrypted, but it's like the partition is mapped without the partition table.

Then there must be a volume on the disk that can be 'mapped' – find that, and you're set. If you can't find one, it either isn't there, or it's encrypted.

Okay, so I didn't properly explain the problem.

I don't have access to the disks after they've booted. There is no shell access. I can't run fdisk or any other partitioning tool once the disks have booted.

Therefore, I am trying to run some tools on the disks by mounting them on a different machine.

I'll post the output of testdisk shortly

What tools do you have access to?

I presume you have imaged these drives.

I can think of about a half dozen variety of partitioning schemes that are not be available in most tools. What if it is an AIX, Sun or Amiga partitioning? Would your tool recognize it?

I usually work backwards, using the "Spock" method, when confronted with something incomprehensible (to me). Eliminate everything that you know, what remains contains your answer.