I've been working on some sample images and noticed an error in one of my Sleuth Kit tool outputs. I'm curious if anyone else has had an error similar to this or could explain why this may be happening? (The syntax and truncated output is below)
lubuntu@Virtual-Box~/Desktop$ mmls test.dd
DOS Partition Table
Offset Sector 0
Units are in 512-byte sectorsSlot Start End Length Description
000 Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001 ——- 0000000000 0000002047 0000002048 Unallocated
002 000000 0000002048 0000034815 0000032768 Linux (0x83)
003 000001 0000034816 0000100351 0000065536 NTFS / exFAT (0x07)
004 ——- 0000100352 0000100999 0000000648 Unallocated
lubuntu@Virtual-Box~/Desktop$ fsstat -o 2048 test.dd
FILE SYSTEM INFORMATION
——————————————–
File System Type FAT16OEM Name mkfs.fat
Volume ID 0x1358cd0d
Volume Label (Boot Sector) NO NAME
Volume Label (Root Directory)
File System Type Label FAT16
00000000 eb3c 906d 6b66 732e 6661 7400 0204 0100 .<.mkfs.fat…..
00000010 0200 0200 80f8 2000 3e00 7c00 0008 0000 …… .>.|…..
00000020 0000 0000 8000 290d cd58 134e 4f20 4e41 ……)..X.NO NA
00000030 4d45 2020 2020 4641 5431 3620 2020 0e1f ME FAT16 ..
So why would mmls think it was a Linux partition when it clearly wasn't? Especially if fsstat caught it and if you look at the hex dump it's obviously FAT16. I put a link to the image file below for those interested. I will leave it up for one week. If anyone wants it after that, PM me.
https://
So why would mmls think it was a Linux partition when it clearly wasn't?
mmls reports/interprets the information ("Linux (0x83)") found in a partition table entry. It a) reports the partition type code found in the entry. That code is 0x83.. Then b) looks up that code in some table, such as that presented by the Wikipedia page (https://
The contents of that partition is, as you note, a FAT16 file system.
Partition id codes have only a weak connection to actual contents of the partition. The partition id code is sometimes more an artifact of the partitioning software used to create the entry than anything else. Or, if that software allows you to set your own partition ids, of what some user thought was reasonable, or what error the user made at the time. It *might* be an artifact of some Linux partitioning tool that sets all partitions it creates to 0x83, but that's just a wide speculation.
At the end of the day, it's just a byte value, and can be set to anything (except perhaps 0, which sometimes is used to indicate an unused table entry). The question is rather is there any software that uses the contents of this byte to make decisions about how it should intrpret the content of the partition? And for what ids does it do so?
Partition creation and file system creation are not necessarily connected. What once may have been a Linux file system, might have been reformatted as a FAT16 file system at a later point in time. That would not change the partition table entry, only the contents of the sectors allocated to that partition.
That makes it dangerous to lock on partition table id for interpretation. It might have been safe back when Microsoft was the only company doing file systems on MBR-formatted disks. Today, it could mean disaster.
So … there's no clear error on the part of Sleuthkit/mmls it reports what it sees. It's up to the analyst to do the anlysis of any (apparent) anomalies. It might, though, be slightly preferable to report partition type as "0x83 (Linux)", i.e. to make it clearer what information is absolute (i.e. 0x83), and what information is an interpretation (i.e. Linux).
I think all this is covered in Brian Carrier's book on file system forensics. If you haven't got a copy, I can strongly recommend getting one.
Have a copy of the book (learn something new each time I read it)
You answer make a lot of sense and as I was unaware of how mmls was collecting that data specifically. I was unsure if it was an error in the tool or an alteration in the image.
Turns out the partition type code was intentionally altered. (which I confirmed through other investigation) This was the first time they did not match so it threw me off a bit.
I would add that the original idea of partition type codes (though not originally explained/documented) is that of a "protective ID".
The (Microsoft) Operating Systems only know about certain partition types and if you use another partition ID won't even attempt to use/mount that partition entry (and corresponding volume).
For years we have been told that 0x07 meant HPFS or NTFS partition, but in reality what that meant was "this partition entry cannot be accessed by DOS or Windows 9x/Me).
Nowadays 0x07 can be also (besides HPFS and NTFS) exFAT/TexFAT and UDF.
The "new" UEFI standards made this definitely clear with the GPT sub-standard that introduces 0xEE as a protective partition type.
Also, Linux is different and - just for the record - it usually "accepts" also the 0x00 partition ID type, as a matter of fact this feature is largely used to boot on USB devices some (particularly pesky) Linux distro's (LiveCD's) from their .iso images, JFYI
http//
jaclaz