Notifications

Clear all

Cannot determine partition type - Sleuthkit

MichaelStein · 2014-05-15T03:52:28Z

Hi there everyone,OK, I have been trying to determine the offset of the file system on my usb by entering the following commands fsstat, mmls and fls. I keep getting the following errors$ sudo fsstat -o /dev/sdcInvalid image offset (tsk_parse invalid image offset /dev/sdc)$ sudo mmls -o /dev/sdcInvalid image offset (tsk_parse invalid image offset /dev/sdc)$ fls -o /dev/sdcInvalid image offset (tsk_parse invalid image offset /dev/sdc)sansforensics@siftworkstation~/Desktop/Programs$Then I have been using these commands on their own and I keep getting "Cannot determine Partition type". Likesansforensics@siftworkstation~/Desktop/Programs$ sudo mmls /dev/sdcCannot determine partition type.So I think I understand the problem. Only certain partition types such as DOS are recognized and I guess my usb stick is not one of them. The only thing I want to know is How do I fix it so that it DOES recognize it? I have looked around. Somebody mentioned something about carving? What is that supposed to do and how does one do it?Thanks in advance,Michael

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by jaclaz 11 years ago

19 Posts

3 Users

0 Reactions

3,961 Views

RSS

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

16/05/2014 6:54 pm

In Unix/Linux by definition "everything is a file", including your device.

If you prefer, you have to open /dev/sdc , as long as Bless can
http//home.gna.org/bless/bless-manual/ch04.html#bless-usage-files
open block devices you can also open your stick with it.

If - for any reason - the particular build of Bless/your environment/whatever has not device access, just dump the first few sectors of the device to a file with dd and use Bless on the resulting file.

Or, get a hex viewer editor that surely has device access, like (example)
http//www.wxhexeditor.org/

jaclaz

ReplyQuote

MichaelStein

(@michaelstein)

Active Member

Joined: 11 years ago

Posts: 11

Topic starter 17/05/2014 2:26 am

Ok, finally I got a hex view of the file. I would like to upload an screenshot here. Is there a way to do it?

The 0 offset is FA, then B8, etc.

ReplyQuote

MichaelStein

(@michaelstein)

Active Member

Joined: 11 years ago

Posts: 11

Topic starter 17/05/2014 2:28 am

Testing the following screenshot

MyImage

ReplyQuote

mscotgrove

(@mscotgrove)

Prominent Member

Joined: 17 years ago

Posts: 940

17/05/2014 4:57 am

Link does not work

ReplyQuote

mscotgrove

(@mscotgrove)

Prominent Member

Joined: 17 years ago

Posts: 940

17/05/2014 4:59 am

Ok, finally I got a hex view of the file. I would like to upload an screenshot here. Is there a way to do it?

The 0 offset is FA, then B8, etc.

For a partition table - if there is one - offset 0x1be is where it gets interesting

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

17/05/2014 2:57 pm

@MichaelStein
Go back to the links given in previous post.
Take as an example this page
http//thestarman.pcministry.com/asm/mbr/LILOmbr.htm
ir this one
http//thestarman.pcministry.com/asm/mbr/95BMEMBR.htm
which represent MBR's.
Look at the area which is coloured in light pink at the end of the sector, that is the Partition Table, followed by Magic Bytes 55AA.

IF (or WHEN) you will have a partition table to check, you might find of interest this little spreadsheet of mine
http//reboot.pro/topic/2959-chs-lba-translations/
http//reboot.pro/topic/2959-chs-lba-translations/#entry74116

jaclaz

ReplyQuote

MichaelStein

(@michaelstein)

Active Member

Joined: 11 years ago

Posts: 11

Topic starter 19/05/2014 8:38 am

Sorry, let's try this link

http//filesystems.996266.n3.nabble.com/file/n8606/image558.png

ReplyQuote

mscotgrove

(@mscotgrove)

Prominent Member

Joined: 17 years ago

Posts: 940

19/05/2014 2:58 pm

This a MBR, with a partition table

The critrical value is 0xee which indicates that there is an EFI structure. To decode you will need to look in the next few sectors

http//en.wikipedia.org/wiki/GUID_Partition_Table

http//www.win.tue.nl/~aeb/partitions/partition_types-1.html

The above links gives common partition ID values. Although these are correct 99% of the time, the only true indicator is the volume header record

NB Hex dumps are MUCH easier to read with a width of 0x10

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

19/05/2014 6:43 pm

@mscotgrove
No. (
You were tricked by the absurd view width of 27 bytes 😯

That data is a "normal" partition on a disk with signature 6BB07A04, FAT32 CHS mapped, non active, with CHS 0/34/27-923/73/46 LBA 2168/31281032.

No matter how "queer" is the start CHS of 0/34/27 it does correspond to LBA 2168.

The end CHS is not correspondent however to LBA 31281032, a "good" formatting program would set the end CHS to 1023/254/63, as a matter of fact the LBA 31281032 corresponds to 1947/73/46, two out of three is not that bad wink and since 1947-923=1024, it is is easy to understand how the *whatever* program that created that partition entry "wrapped around" the 1024 Cylinder limit.

It is anyway very strange that the partition id is set to 0B instead of 0C.

A program - if trusting the CHS data - might "choke" on that stick.

jaclaz

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
189 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed