fiwalk doesn't find file system
259 views
Skip to first unread message
slo.s...@gmail.com
May 20, 2009, 4:52:03 PM5/20/09
to aff-discuss
I used fiwalk on an Apple Nano, but it didn't find the filesystem:
# fiwalk /tmp/erics_ipod.aff
Imagefile: /tmp/erics_ipod.aff
fiwalk_version: 0.5.2
Start_time: Wed May 20 13:02:04 2009
tsk_version: 3.0.1
aff_version: 3.3.6
sectorsize: 1024
pagesize: 16777216
acquisition_seconds: 1177
# fs start: 0
TSK_Error: Cannot determine file system type
# fs start: 32256
TSK_Error: Cannot determine file system type
# fs start: 512
TSK_Error: Cannot determine file system type
# fs start: 1024
TSK_Error: Cannot determine file system type
# fs start: 1536
TSK_Error: Cannot determine file system type
# fs start: 2048
TSK_Error: Cannot determine file system type
# fs start: 2560
TSK_Error: Cannot determine file system type
# fs start: 3072
TSK_Error: Cannot determine file system type
# fs start: 3584
TSK_Error: Cannot determine file system type
# fs start: 4096
TSK_Error: Cannot determine file system type
# fs start: 4608
TSK_Error: Cannot determine file system type
# fs start: 5120
TSK_Error: Cannot determine file system type
# fs start: 5632
TSK_Error: Cannot determine file system type
# fs start: 6144
TSK_Error: Cannot determine file system type
# fs start: 6656
TSK_Error: Cannot determine file system type
# fs start: 7168
TSK_Error: Cannot determine file system type
# fs start: 7680
TSK_Error: Cannot determine file system type
# fs start: 8192
TSK_Error: Cannot determine file system type
# fs start: 8704
TSK_Error: Cannot determine file system type
# fs start: 9216
TSK_Error: Cannot determine file system type
# fs start: 9728
TSK_Error: Cannot determine file system type
# fs start: 10240
TSK_Error: Cannot determine file system type
# fs start: 10752
TSK_Error: Cannot determine file system type
# fs start: 11264
TSK_Error: Cannot determine file system type
# fs start: 11776
TSK_Error: Cannot determine file system type
# fs start: 12288
TSK_Error: Cannot determine file system type
# fs start: 12800
TSK_Error: Cannot determine file system type
# fs start: 13312
TSK_Error: Cannot determine file system type
# fs start: 13824
TSK_Error: Cannot determine file system type
# fs start: 14336
TSK_Error: Cannot determine file system type
# fs start: 14848
TSK_Error: Cannot determine file system type
# fs start: 15360
TSK_Error: Cannot determine file system type
# fs start: 15872
TSK_Error: Cannot determine file system type
# fs start: 16384
TSK_Error: Cannot determine file system type
# fs start: 16896
TSK_Error: Cannot determine file system type
# fs start: 17408
TSK_Error: Cannot determine file system type
# fs start: 17920
TSK_Error: Cannot determine file system type
# fs start: 18432
TSK_Error: Cannot determine file system type
# fs start: 18944
TSK_Error: Cannot determine file system type
# fs start: 19456
TSK_Error: Cannot determine file system type
# fs start: 19968
TSK_Error: Cannot determine file system type
# fs start: 20480
TSK_Error: Cannot determine file system type
# fs start: 20992
TSK_Error: Cannot determine file system type
# fs start: 21504
TSK_Error: Cannot determine file system type
# fs start: 22016
TSK_Error: Cannot determine file system type
# fs start: 22528
TSK_Error: Cannot determine file system type
# fs start: 23040
TSK_Error: Cannot determine file system type
# fs start: 23552
TSK_Error: Cannot determine file system type
# fs start: 24064
TSK_Error: Cannot determine file system type
# fs start: 24576
TSK_Error: Cannot determine file system type
# fs start: 25088
TSK_Error: Cannot determine file system type
# fs start: 25600
TSK_Error: Cannot determine file system type
# fs start: 26112
TSK_Error: Cannot determine file system type
# fs start: 26624
TSK_Error: Cannot determine file system type
# fs start: 27136
TSK_Error: Cannot determine file system type
# fs start: 27648
TSK_Error: Cannot determine file system type
# fs start: 28160
TSK_Error: Cannot determine file system type
# fs start: 28672
TSK_Error: Cannot determine file system type
# fs start: 29184
TSK_Error: Cannot determine file system type
# fs start: 29696
TSK_Error: Cannot determine file system type
# fs start: 30208
TSK_Error: Cannot determine file system type
# fs start: 30720
TSK_Error: Cannot determine file system type
# fs start: 31232
TSK_Error: Cannot determine file system type
# fs start: 31744
TSK_Error: Cannot determine file system type
# TSK Error (do_dimage) (null)
# clock: 0
usage_user_seconds: 0
usage_system_seconds: 0
usage_maxrss: 0
usage_reclaims: 8429
usage_faults: 0
usage_swaps: 0
usage_inputs: 0
usage_outputs: 0
stop_time: Wed May 20 13:02:04 2009
# =EOF=
I located the filesystem at:
# fls -o192780 /tmp/erics_ipod.aff
r/r 3: ERIC'S IPOD (Volume Label Entry)
d/d 5: iPod_Control
d/d 7: Contacts
d/d 9: Calendars
d/d 11: Notes
v/v 123316739: $MBR
v/v 123316740: $FAT1
v/v 123316741: $FAT2
d/d 123316742: $OrphanFiles
Curiously, this doesn't jibe with the partition table:
# mmls -t dos /tmp/erics_ipod.aff
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000000041 0000000042 Unallocated
02: 00:00 0000000042 0001981307 0001981266 Win95 FAT32 (0x0B)
03: ----- 0001981308 0007929855 0005948548 Unallocated
I had to find the filesystem with sigfind -t fat on the device (Sector
42, as indicated in mmls, is all zeros):
# sigfind -t fat /dev/sdb
Block size: 512 Offset: 510 Signature: 55AA
Block: 0 (-)
Block: 252 (+252)
Block: 33066 (+32814)
Block: 192780 (+159714)
...
In this case, block 252 has pointers to an an empty fat16 file system
(TSK displays $MBR, $FAT1, $FAT2, $ORPHANFILES only). Block 33066 is
a false hit, block 192780 starts the filesystem.
Another curiosity is that using sigfind on the image produces a
different result:
# sigfind -t fat /tmp/erics_ipod.aff
Block size: 512 Offset: 510 Signature: 55AA
Block: 17546 (-)
Block: 277831 (+260285)
Block: 324701 (+46870)
Block: 429814 (+105113)
...
I presume this is because sigfind does not parse the image but is just
seeing it as a raw file.
Is there a way to point fiwalk at the filesystem if it is not
autodetected?
# fiwalk /tmp/erics_ipod.aff
Imagefile: /tmp/erics_ipod.aff
fiwalk_version: 0.5.2
Start_time: Wed May 20 13:02:04 2009
tsk_version: 3.0.1
aff_version: 3.3.6
sectorsize: 1024
pagesize: 16777216
acquisition_seconds: 1177
# fs start: 0
TSK_Error: Cannot determine file system type
# fs start: 32256
TSK_Error: Cannot determine file system type
# fs start: 512
TSK_Error: Cannot determine file system type
# fs start: 1024
TSK_Error: Cannot determine file system type
# fs start: 1536
TSK_Error: Cannot determine file system type
# fs start: 2048
TSK_Error: Cannot determine file system type
# fs start: 2560
TSK_Error: Cannot determine file system type
# fs start: 3072
TSK_Error: Cannot determine file system type
# fs start: 3584
TSK_Error: Cannot determine file system type
# fs start: 4096
TSK_Error: Cannot determine file system type
# fs start: 4608
TSK_Error: Cannot determine file system type
# fs start: 5120
TSK_Error: Cannot determine file system type
# fs start: 5632
TSK_Error: Cannot determine file system type
# fs start: 6144
TSK_Error: Cannot determine file system type
# fs start: 6656
TSK_Error: Cannot determine file system type
# fs start: 7168
TSK_Error: Cannot determine file system type
# fs start: 7680
TSK_Error: Cannot determine file system type
# fs start: 8192
TSK_Error: Cannot determine file system type
# fs start: 8704
TSK_Error: Cannot determine file system type
# fs start: 9216
TSK_Error: Cannot determine file system type
# fs start: 9728
TSK_Error: Cannot determine file system type
# fs start: 10240
TSK_Error: Cannot determine file system type
# fs start: 10752
TSK_Error: Cannot determine file system type
# fs start: 11264
TSK_Error: Cannot determine file system type
# fs start: 11776
TSK_Error: Cannot determine file system type
# fs start: 12288
TSK_Error: Cannot determine file system type
# fs start: 12800
TSK_Error: Cannot determine file system type
# fs start: 13312
TSK_Error: Cannot determine file system type
# fs start: 13824
TSK_Error: Cannot determine file system type
# fs start: 14336
TSK_Error: Cannot determine file system type
# fs start: 14848
TSK_Error: Cannot determine file system type
# fs start: 15360
TSK_Error: Cannot determine file system type
# fs start: 15872
TSK_Error: Cannot determine file system type
# fs start: 16384
TSK_Error: Cannot determine file system type
# fs start: 16896
TSK_Error: Cannot determine file system type
# fs start: 17408
TSK_Error: Cannot determine file system type
# fs start: 17920
TSK_Error: Cannot determine file system type
# fs start: 18432
TSK_Error: Cannot determine file system type
# fs start: 18944
TSK_Error: Cannot determine file system type
# fs start: 19456
TSK_Error: Cannot determine file system type
# fs start: 19968
TSK_Error: Cannot determine file system type
# fs start: 20480
TSK_Error: Cannot determine file system type
# fs start: 20992
TSK_Error: Cannot determine file system type
# fs start: 21504
TSK_Error: Cannot determine file system type
# fs start: 22016
TSK_Error: Cannot determine file system type
# fs start: 22528
TSK_Error: Cannot determine file system type
# fs start: 23040
TSK_Error: Cannot determine file system type
# fs start: 23552
TSK_Error: Cannot determine file system type
# fs start: 24064
TSK_Error: Cannot determine file system type
# fs start: 24576
TSK_Error: Cannot determine file system type
# fs start: 25088
TSK_Error: Cannot determine file system type
# fs start: 25600
TSK_Error: Cannot determine file system type
# fs start: 26112
TSK_Error: Cannot determine file system type
# fs start: 26624
TSK_Error: Cannot determine file system type
# fs start: 27136
TSK_Error: Cannot determine file system type
# fs start: 27648
TSK_Error: Cannot determine file system type
# fs start: 28160
TSK_Error: Cannot determine file system type
# fs start: 28672
TSK_Error: Cannot determine file system type
# fs start: 29184
TSK_Error: Cannot determine file system type
# fs start: 29696
TSK_Error: Cannot determine file system type
# fs start: 30208
TSK_Error: Cannot determine file system type
# fs start: 30720
TSK_Error: Cannot determine file system type
# fs start: 31232
TSK_Error: Cannot determine file system type
# fs start: 31744
TSK_Error: Cannot determine file system type
# TSK Error (do_dimage) (null)
# clock: 0
usage_user_seconds: 0
usage_system_seconds: 0
usage_maxrss: 0
usage_reclaims: 8429
usage_faults: 0
usage_swaps: 0
usage_inputs: 0
usage_outputs: 0
stop_time: Wed May 20 13:02:04 2009
# =EOF=
I located the filesystem at:
# fls -o192780 /tmp/erics_ipod.aff
r/r 3: ERIC'S IPOD (Volume Label Entry)
d/d 5: iPod_Control
d/d 7: Contacts
d/d 9: Calendars
d/d 11: Notes
v/v 123316739: $MBR
v/v 123316740: $FAT1
v/v 123316741: $FAT2
d/d 123316742: $OrphanFiles
Curiously, this doesn't jibe with the partition table:
# mmls -t dos /tmp/erics_ipod.aff
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000000041 0000000042 Unallocated
02: 00:00 0000000042 0001981307 0001981266 Win95 FAT32 (0x0B)
03: ----- 0001981308 0007929855 0005948548 Unallocated
I had to find the filesystem with sigfind -t fat on the device (Sector
42, as indicated in mmls, is all zeros):
# sigfind -t fat /dev/sdb
Block size: 512 Offset: 510 Signature: 55AA
Block: 0 (-)
Block: 252 (+252)
Block: 33066 (+32814)
Block: 192780 (+159714)
...
In this case, block 252 has pointers to an an empty fat16 file system
(TSK displays $MBR, $FAT1, $FAT2, $ORPHANFILES only). Block 33066 is
a false hit, block 192780 starts the filesystem.
Another curiosity is that using sigfind on the image produces a
different result:
# sigfind -t fat /tmp/erics_ipod.aff
Block size: 512 Offset: 510 Signature: 55AA
Block: 17546 (-)
Block: 277831 (+260285)
Block: 324701 (+46870)
Block: 429814 (+105113)
...
I presume this is because sigfind does not parse the image but is just
seeing it as a raw file.
Is there a way to point fiwalk at the filesystem if it is not
autodetected?
Simson Garfinkel
May 20, 2009, 6:00:18 PM5/20/09
to aff-d...@googlegroups.com
Does your version of TSk have support for HFS enabled?
John Lehr
May 20, 2009, 6:22:40 PM5/20/09
to aff-d...@googlegroups.com
Hi Simson,
This is a fat32 device enabled for windows. I don't currently have HFS enabled however. I will recompile and test.
This is a fat32 device enabled for windows. I don't currently have HFS enabled however. I will recompile and test.
John Lehr
May 20, 2009, 6:46:10 PM5/20/09
to aff-d...@googlegroups.com
Hi Simson,
As expected, HSF support in TSK made no difference.
As expected, HSF support in TSK made no difference.
Simson Garfinkel
May 20, 2009, 8:20:44 PM5/20/09
to aff-d...@googlegroups.com
Hi, John. fiwalk is using TSK for partition discovery. Can you run "mmls" on the partition and send us the results? Do you think that erics_ipod.aff is partitioned with GPT? TSK is having problems with those.
John Lehr
May 21, 2009, 1:59:39 PM5/21/09
to aff-d...@googlegroups.com
Hi Simson,
Caveat before we continue: I have been working on a bash script to automate processing of iPod's to determine true ownership in cases of theft. Erics_ipod is a test device that i have been using. It broke yesterday (would not boot nor mount) and I had to restore the device, but I chose to do so in order that we may discuss a mountable device and forensic image of the mountable device.
What I'm trying to say in a long winded way is: don't compare the following output with previous output in my earlier messages. The data in my initial email (mmls, fls offset, etc) no longer apply, but the issues are the same.
MMLS OUTPUT:
# mmls /dev/sdc
Cannot determine partition type
# mmls -t mac /dev/sdc
Invalid magic value (Mac partition table entry (Sector: 1) 0)
# mmls -t sun /dev/sdc
Invalid magic value (SUN (intel) partition table (Sector: 0) 0)
# mmls -t bsd /dev/sdc
Invalid magic value (BSD partition table (magic #1) (Sector: 1) 0)
# mmls -t dos /dev/sdc
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000000062 0000000063 Unallocated
02: 00:00 0000000063 0000048194 0000048132 Empty (0x00)
03: 00:01 0000048195 0001982462 0001934268 Win95 FAT32 (0x0B)
04: ----- 0001982463 0007929855 0005947393 Unallocated
# mmls /dev/sdc2
Cannot determine partition type
# mmls -t dos /dev/sdc2
Invalid magic value (dos_load_prim_table: No valid entries in primary table)
mmls of the aff image results in the same output. Now some really interesting differences:
# fls -o48195 /dev/sdc ### offset determined from mmls
Cannot determine file system type
# fls /dev/sdc2
r/r 3: ERIC'S IPOD (Volume Label Entry)
d/d 5: iPod_Control
d/d 7: Contacts
d/d 9: Calendars
d/d 11: Notes
v/v 123549443: $MBR
v/v 123549444: $FAT1
v/v 123549445: $FAT2
d/d 123549446: $OrphanFiles
# sigfind -t fat /dev/sdc
Block size: 512 Offset: 510 Signature: 55AA
Block: 0 (-)
Block: 299 (+299)
Block: 33066 (+32767)
Block: 192780 (+159714)
Block: 192784 (+4)
Block: 192788 (+4)
Block: 192804 (+16)
Block: 192808 (+4)
Block: 192812 (+4)
...
root@eee:~# fls -o192780 /dev/sdc ### offset determined from sigfind
v/v 123549444: $FAT1
v/v 123549445: $FAT2
d/d 123549446: $OrphanFiles
A view into the sectors:
# xxd -s 24675840 -l 512 /dev/sdc2 ### Sector 48195 f
1788600: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788610: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788620: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788630: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788640: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788650: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788660: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788670: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788680: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788690: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17886a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17886b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17886c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17886d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17886e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17886f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788700: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788710: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788720: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788730: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788740: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788750: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788760: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788770: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788780: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788790: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17887a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17887b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17887c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17887d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17887e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17887f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
# xxd -l 512 /dev/sdc2
0000000: eb3c 902a 554f 4b4a 4948 4300 0802 2000 .<.*UOKJIHC... .
0000010: 0200 0000 00f8 0000 3f00 ff00 43bc 0000 ........?...C...
0000020: bc83 1d00 6007 0000 0000 0000 0200 0000 ....`...........
0000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................
0000040: 0000 2963 efa4 b649 504f 4420 2020 2020 ..)c...IPOD
0000050: 2020 4641 5433 3220 2020 0e1f be5b 7cac FAT32 ...[|.
0000060: 22c0 740b 56b4 0ebb 0700 cd10 5eeb f032 ".t.V.......^..2
0000070: e4cd 16cd 19eb fe7b 7b7e 7e7c 2053 2054 .......{{~~| S T
0000080: 204f 2050 207c 2054 6869 7320 6973 2041 O P | This is A
0000090: 7070 6c65 2069 506f 6420 6e6f 7420 6120 pple iPod not a
00000a0: 626f 6f74 6162 6c65 2064 6973 6b2e 506c bootable disk.Pl
00000b0: 6561 7365 2074 7279 2061 6761 696e 202e ease try again .
00000c0: 2e2e 2000 0000 0000 0000 0000 0000 0000 .. .............
00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.
# xxd -s 98703360 -l 512 /dev/sdc
5e21800: eb3c 902a 554f 4b4a 4948 4300 0802 2000 .<.*UOKJIHC... .
5e21810: 0200 0000 00f8 0000 3f00 ff00 43bc 0000 ........?...C...
5e21820: bc83 1d00 6007 0000 0000 0000 0200 0000 ....`...........
5e21830: 0100 0600 0000 0000 0000 0000 0000 0000 ................
5e21840: 0000 2963 efa4 b649 504f 4420 2020 2020 ..)c...IPOD
5e21850: 2020 4641 5433 3220 2020 0e1f be5b 7cac FAT32 ...[|.
5e21860: 22c0 740b 56b4 0ebb 0700 cd10 5eeb f032 ".t.V.......^..2
5e21870: e4cd 16cd 19eb fe7b 7b7e 7e7c 2053 2054 .......{{~~| S T
5e21880: 204f 2050 207c 2054 6869 7320 6973 2041 O P | This is A
5e21890: 7070 6c65 2069 506f 6420 6e6f 7420 6120 pple iPod not a
5e218a0: 626f 6f74 6162 6c65 2064 6973 6b2e 506c bootable disk.Pl
5e218b0: 6561 7365 2074 7279 2061 6761 696e 202e ease try again .
5e218c0: 2e2e 2000 0000 0000 0000 0000 0000 0000 .. .............
5e218d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e218e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e218f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21900: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21910: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21920: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21930: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21940: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21950: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21960: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21970: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21980: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21990: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e219a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e219b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e219c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e219d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e219e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e219f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.
Finally, mmls is not inconsistent with fdisk:
# fdisk -lu /dev/sdc
Note: sector size is 2048 (not 512)
Disk /dev/sdc: 4060 MB, 4060086272 bytes
103 heads, 42 sectors/track, 458 cylinders, total 1982464 sectors
Units = sectors of 1 * 2048 = 2048 bytes
Disk identifier: 0x20202020
Device Boot Start End Blocks Id System
/dev/sdc1 63 48194 96264 0 Empty
Partition 1 has different physical/logical beginnings (non-Linux?):
phys=(0, 1, 1) logical=(0, 1, 22)
Partition 1 has different physical/logical endings:
phys=(2, 254, 63) logical=(11, 14, 21)
Partition 1 does not end on cylinder boundary.
/dev/sdc2 48195 1982462 3868536 b W95 FAT32
Partition 2 has different physical/logical beginnings (non-Linux?):
phys=(3, 0, 1) logical=(11, 14, 22)
Partition 2 has different physical/logical endings:
phys=(123, 102, 42) logical=(458, 27, 21)
Caveat before we continue: I have been working on a bash script to automate processing of iPod's to determine true ownership in cases of theft. Erics_ipod is a test device that i have been using. It broke yesterday (would not boot nor mount) and I had to restore the device, but I chose to do so in order that we may discuss a mountable device and forensic image of the mountable device.
What I'm trying to say in a long winded way is: don't compare the following output with previous output in my earlier messages. The data in my initial email (mmls, fls offset, etc) no longer apply, but the issues are the same.
MMLS OUTPUT:
# mmls /dev/sdc
Cannot determine partition type
# mmls -t mac /dev/sdc
Invalid magic value (Mac partition table entry (Sector: 1) 0)
# mmls -t sun /dev/sdc
Invalid magic value (SUN (intel) partition table (Sector: 0) 0)
# mmls -t bsd /dev/sdc
Invalid magic value (BSD partition table (magic #1) (Sector: 1) 0)
# mmls -t dos /dev/sdc
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
02: 00:00 0000000063 0000048194 0000048132 Empty (0x00)
03: 00:01 0000048195 0001982462 0001934268 Win95 FAT32 (0x0B)
04: ----- 0001982463 0007929855 0005947393 Unallocated
# mmls /dev/sdc2
Cannot determine partition type
# mmls -t dos /dev/sdc2
Invalid magic value (dos_load_prim_table: No valid entries in primary table)
mmls of the aff image results in the same output. Now some really interesting differences:
# fls -o48195 /dev/sdc ### offset determined from mmls
Cannot determine file system type
r/r 3: ERIC'S IPOD (Volume Label Entry)
d/d 5: iPod_Control
d/d 7: Contacts
d/d 9: Calendars
d/d 11: Notes
v/v 123549444: $FAT1
v/v 123549445: $FAT2
d/d 123549446: $OrphanFiles
# sigfind -t fat /dev/sdc
Block size: 512 Offset: 510 Signature: 55AA
Block: 0 (-)
Block: 33066 (+32767)
Block: 192780 (+159714)
Block: 192784 (+4)
Block: 192788 (+4)
Block: 192804 (+16)
Block: 192808 (+4)
Block: 192812 (+4)
...
root@eee:~# fls -o192780 /dev/sdc ### offset determined from sigfind
r/r 3: ERIC'S IPOD (Volume Label Entry)
d/d 5: iPod_Control
d/d 7: Contacts
d/d 9: Calendars
d/d 11: Notes
v/v 123549443: $MBRd/d 5: iPod_Control
d/d 7: Contacts
d/d 9: Calendars
d/d 11: Notes
v/v 123549444: $FAT1
v/v 123549445: $FAT2
d/d 123549446: $OrphanFiles
A view into the sectors:
# xxd -s 24675840 -l 512 /dev/sdc2 ### Sector 48195 f
1788600: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788610: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788620: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788630: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788640: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788650: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788660: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788670: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788680: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788690: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17886a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17886b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17886c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17886d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17886e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17886f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788700: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788710: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788720: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788730: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788740: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788750: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788760: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788770: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788780: 0000 0000 0000 0000 0000 0000 0000 0000 ................
1788790: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17887a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17887b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17887c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17887d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17887e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
17887f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
# xxd -l 512 /dev/sdc2
0000000: eb3c 902a 554f 4b4a 4948 4300 0802 2000 .<.*UOKJIHC... .
0000010: 0200 0000 00f8 0000 3f00 ff00 43bc 0000 ........?...C...
0000020: bc83 1d00 6007 0000 0000 0000 0200 0000 ....`...........
0000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................
0000040: 0000 2963 efa4 b649 504f 4420 2020 2020 ..)c...IPOD
0000050: 2020 4641 5433 3220 2020 0e1f be5b 7cac FAT32 ...[|.
0000060: 22c0 740b 56b4 0ebb 0700 cd10 5eeb f032 ".t.V.......^..2
0000070: e4cd 16cd 19eb fe7b 7b7e 7e7c 2053 2054 .......{{~~| S T
0000080: 204f 2050 207c 2054 6869 7320 6973 2041 O P | This is A
0000090: 7070 6c65 2069 506f 6420 6e6f 7420 6120 pple iPod not a
00000a0: 626f 6f74 6162 6c65 2064 6973 6b2e 506c bootable disk.Pl
00000b0: 6561 7365 2074 7279 2061 6761 696e 202e ease try again .
00000c0: 2e2e 2000 0000 0000 0000 0000 0000 0000 .. .............
00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.
# xxd -s 98703360 -l 512 /dev/sdc
5e21800: eb3c 902a 554f 4b4a 4948 4300 0802 2000 .<.*UOKJIHC... .
5e21810: 0200 0000 00f8 0000 3f00 ff00 43bc 0000 ........?...C...
5e21820: bc83 1d00 6007 0000 0000 0000 0200 0000 ....`...........
5e21830: 0100 0600 0000 0000 0000 0000 0000 0000 ................
5e21840: 0000 2963 efa4 b649 504f 4420 2020 2020 ..)c...IPOD
5e21850: 2020 4641 5433 3220 2020 0e1f be5b 7cac FAT32 ...[|.
5e21860: 22c0 740b 56b4 0ebb 0700 cd10 5eeb f032 ".t.V.......^..2
5e21870: e4cd 16cd 19eb fe7b 7b7e 7e7c 2053 2054 .......{{~~| S T
5e21880: 204f 2050 207c 2054 6869 7320 6973 2041 O P | This is A
5e21890: 7070 6c65 2069 506f 6420 6e6f 7420 6120 pple iPod not a
5e218a0: 626f 6f74 6162 6c65 2064 6973 6b2e 506c bootable disk.Pl
5e218b0: 6561 7365 2074 7279 2061 6761 696e 202e ease try again .
5e218c0: 2e2e 2000 0000 0000 0000 0000 0000 0000 .. .............
5e218d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e218e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e218f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21900: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21910: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21920: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21930: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21940: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21950: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21960: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21970: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21980: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e21990: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e219a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e219b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e219c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e219d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e219e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
5e219f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U.
Finally, mmls is not inconsistent with fdisk:
# fdisk -lu /dev/sdc
Note: sector size is 2048 (not 512)
Disk /dev/sdc: 4060 MB, 4060086272 bytes
103 heads, 42 sectors/track, 458 cylinders, total 1982464 sectors
Units = sectors of 1 * 2048 = 2048 bytes
Disk identifier: 0x20202020
Device Boot Start End Blocks Id System
/dev/sdc1 63 48194 96264 0 Empty
Partition 1 has different physical/logical beginnings (non-Linux?):
phys=(0, 1, 1) logical=(0, 1, 22)
Partition 1 has different physical/logical endings:
phys=(2, 254, 63) logical=(11, 14, 21)
Partition 1 does not end on cylinder boundary.
/dev/sdc2 48195 1982462 3868536 b W95 FAT32
Partition 2 has different physical/logical beginnings (non-Linux?):
phys=(3, 0, 1) logical=(11, 14, 22)
Partition 2 has different physical/logical endings:
phys=(123, 102, 42) logical=(458, 27, 21)
John Lehr
May 22, 2009, 1:14:08 AM5/22/09
to aff-d...@googlegroups.com
Hi Simson, I don't know if this helps, but I think i've determined the source of the discrepancy between linux automount/autodecting the filesystem and the partition output of fdisk/mmls. It looks like the device and partitions are correctly detectect by sysfs and correct partition information is recorded in the /sys/block tree. I don't yet understand sysfs and how it probes the device for partitions and filesystems, but the answer likely lies there.
John
John
Simson Garfinkel
May 22, 2009, 1:18:17 AM5/22/09
to aff-d...@googlegroups.com
John,
Since these are clearly TSK bugs, and not fiwalk bugs, you should
probably send them to the tsk mailing list or to Brian Carrier
directly. Until then, you can have fiwalk run on the partitions and
not on the raw device.
Regards,
Simson
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google
> Groups "aff-discuss" group.
> To post to this group, send email to aff-d...@googlegroups.com
> To unsubscribe from this group, send email to aff-discuss...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/aff-discuss?hl=en
> -~----------~----~----~----~------~----~------~--~---
>
John Lehr
May 22, 2009, 1:35:33 AM5/22/09
to aff-d...@googlegroups.com
Hi Simson,
I'll do that: I'll post this to the tsk listserv. Thanks.
John
I'll do that: I'll post this to the tsk listserv. Thanks.
John
Reply all
Reply to author
Forward
0 new messages