Hi there everyone,
OK, I have been trying to determine the offset of the file system on my usb by entering the following commands fsstat, mmls and fls. I keep getting the following errors
$ sudo fsstat -o /dev/sdc
Invalid image offset (tsk_parse invalid image offset /dev/sdc)
$ sudo mmls -o /dev/sdc
Invalid image offset (tsk_parse invalid image offset /dev/sdc)
$ fls -o /dev/sdc
Invalid image offset (tsk_parse invalid image offset /dev/sdc)
sansforensics@siftworkstation~/Desktop/Programs$
Then I have been using these commands on their own and I keep getting "Cannot determine Partition type". Like
sansforensics@siftworkstation~/Desktop/Programs$ sudo mmls /dev/sdc
Cannot determine partition type.
So I think I understand the problem. Only certain partition types such as DOS are recognized and I guess my usb stick is not one of them. The only thing I want to know is How do I fix it so that it DOES recognize it? I have looked around. Somebody mentioned something about carving? What is that supposed to do and how does one do it?
Thanks in advance,
Michael
Have a look at sector 0 with a Hex viewer. Then follow the pointers.
Traditionally a USB stick comes in 99.999% of cases as "Removable" and formatted without partitioning (i.e. "superfloppy").
In Windows you cannot normally partition a device that has the "Removable" bit set.
Nowadays newish USB3 "high end" sticks are not anymore "Usb Sticks", but rather USb-to-SATA bridges connecting to a miniaturized SSD device, hence they are set as "Fixed" and can be normally partitioned under Windows.
If you prefer, the first sector of a device coming from factory (with the exception of the mentioned USB3 "high-end" drives) is NOT normally a MBR (Master Boot Record) but rather a VBR (Volume Boot Record), and contains not a partition table, the filesystem begins at sector 0.
jaclaz
Have a look at sector 0 with a Hex viewer. Then follow the pointers.
??? What is Hex viewer?
??? What is Hex viewer?
Are you sure you are an experienced C++ programmer?
And you don't know what a Hex Viewer is? 😯
Since I presume that next issue will be about what is a MBR and what is a VBR, please go here
http//
the site is all about MBR's, VBR's, partitining tables, etc. and contains a list of suggested tools to look at them/parse them
http//
including Hex viewers/editors
http//
jaclaz
Will take a look at that. Thanks!
Another point. If I run fdisk on /dev/sdc it says
/dev/sdc does not contain a valid partition table.
Does this mean that I cannot work with it at all?
Look at the sector, then ask your question
Tools are only tools that help confirm your answer.
If the first sector is blank, then no tool will help
Go back to post #2.
Unless the stick was partitioned before, it is normally NOT partitioned, i.e. the first sector is not a MBR and thus it contains not a partition table.
As well, if the first sector is blank there is not a partition table. (and the last possibility is that the sector is not blank, and contains valid MBR code and Magic Bytes, but still has a blank partitin table).
jaclaz
OK, so I found that my Linux came with Bless Hex Editor and I opened the application. Then I clicked on the "open" icon and selected my USB drive. The problem with doing that is, my USB drive is not a FILE - it is a directory. It seems I can only open files in the Hex Editor.
I'm just not sure if using a Hex viewer is the way to solve this problem…. Are you sure about this?