In a previous post, I showed the basic use of
the Sleuth Kit’s volume tools mm-. An image of a FAT16 flash drive was used as example. But in order to learn
more details about volume analysis, it will be more helpful to know how these tools are used to parse partition information from the image.
In the example I mentioned above, mmls was used to display partitions of the image. The command and output are:
$ mmls physicalUSBraw.001
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000000511 0000000512 Unallocated
02: 00:00 0000000512 0001957887 0001957376 DOS FAT16 (0x06)
From the result we know that the partition system used in this image is DOS. How does mmls know this? It knows this from Master Boot Record (MBR), namely the “Primary Table” row in the list. MBR usually locates in the first sector of the disk. It contains lots information of how the disk is partitioned. So it will be very helpful to extract it from the image alone for further analysis. Use the following command to extract the partition table and save it in a file called “MBR”.
$ dd if=physicalUSBraw.001 of=MBR count=1
The command is straightforward. The only part that needs to be explained is an argument bs=512 is omitted because 512 is the default block size value. Thus this command uses dd and export the first 512 bytes, namely the first sector of the disk image.
Then we can use xxd, a tool in Linux that used to print file in hexadecimal format to look at the content in MBR. Run xxd -u MBR. The -u option here is used to display hex values in upper case letters.
The result is:
0000000: 33C0 8ED0 BC00 7CFB 5007 501F FCBE 1B7C 3.....|.P.P....|
0000010: BF1B 0650 57B9 E501 F3A4 CBBD BE07 B104 ...PW...........
0000020: 386E 007C 0975 1383 C510 E2F4 CD18 8BF5 8n.|.u..........
0000030: 83C6 1049 7419 382C 74F6 A0B5 07B4 078B ...It.8,t.......
0000040: F0AC 3C00 74FC BB07 00B4 0ECD 10EB F288 ..<.t...........
0000050: 4E10 E846 0073 2AFE 4610 807E 040B 740B N..F.s*.F..~..t.
0000060: 807E 040C 7405 A0B6 0775 D280 4602 0683 .~..t....u..F...
0000070: 4608 0683 560A 00E8 2100 7305 A0B6 07EB F...V...!.s.....
0000080: BC81 3EFE 7D55 AA74 0B80 7E10 0074 C8A0 ..>.}U.t..~..t..
0000090: B707 EBA9 8BFC 1E57 8BF5 CBBF 0500 8A56 .......W.......V
00000a0: 00B4 08CD 1372 238A C124 3F98 8ADE 8AFC .....r#..$?.....
00000b0: 43F7 E38B D186 D6B1 06D2 EE42 F7E2 3956 C..........B..9V
00000c0: 0A77 2372 0539 4608 731C B801 02BB 007C .w#r.9F.s......|
00000d0: 8B4E 028B 5600 CD13 7351 4F74 4E32 E48A .N..V...sQOtN2..
00000e0: 5600 CD13 EBE4 8A56 0060 BBAA 55B4 41CD V......V.`..U.A.
00000f0: 1372 3681 FB55 AA75 30F6 C101 742B 6160 .r6..U.u0...t+a`
0000100: 6A00 6A00 FF76 0AFF 7608 6A00 6800 7C6A j.j..v..v.j.h.|j
0000110: 016A 10B4 428B F4CD 1361 6173 0E4F 740B .j..B....aas.Ot.
0000120: 32E4 8A56 00CD 13EB D661 F9C3 496E 7661 2..V.....a..Inva
0000130: 6C69 6420 7061 7274 6974 696F 6E20 7461 lid partition ta
0000140: 626C 6500 4572 726F 7220 6C6F 6164 696E ble.Error loadin
0000150: 6720 6F70 6572 6174 696E 6720 7379 7374 g operating syst
0000160: 656D 004D 6973 7369 6E67 206F 7065 7261 em.Missing opera
0000170: 7469 6E67 2073 7973 7465 6D00 0000 0000 ting system.....
0000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001b0: 0000 0000 002C 4463 BB55 B68E 0000 8001 .....,Dc.U......
00001c0: 0100 0620 0077 0002 0000 00DE 1D00 0000 ... .w..........
00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001f0: 0000 0000 0000 0000 0000 0000 0000 55AA ..............U.
This is the whole first sector of the flash drive and MBR. The last two bytes (510-511) of MBR make up signature value for the partition system. So in this example the signature value is 0xAA55 (recall that values are stored in little-endian order). This is a signature value for DOS partition system, which is one of the most common partition system on x86 machines.
Now that we know the type of partition system, we can use known data structure of DOS partition table to analyze how the disk is partitioned.
In DOS partition table, byte 0-445 are reserved for boot code when starting computer. The following part, which starts at byte 446 and ends at byte 509, consists of four partition table entries. Each entry can be used too designate a partition. Thus, there are at most four partitions which can be created using the partition table. But with the help of extended partition, more than four partitions can be made in DOS partition system.
To look at how partitions are allocated in this image more clearly, we can use the command below to display the partition table entries only:
$ dd if=MBR bs=1 count=64 skip=446 status=none | xxd -u
Here I set block size as 1 byte and skip the first 446 bytes. The count value is set as 64 because there are four entries, each entry is 16 bytes lone. Argument status=none is used so that only the actual data is streamed to xxd without extra output attached. The result of the command above is:
0000000: 8001 0100 0620 0077 0002 0000 00DE 1D00 ..... .w........
0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Each row in the output is one partition table entry. It is obvious that only one entry exists, meaning only one partition is allocated in this disk. Based on the data structure of one entry, we can divide this entry into six parts:
80 |
010100 |
06 |
200077 |
00020000 |
00DE1D00 |
|---|---|---|---|---|---|
| I | II | III | IV | V | VI |
Let us look at each part one by one.
Part I is bootable flag. 0x80 is set here since this is the only partition in the flash drive.
Part II and IV are the starting and ending cylinder, head, sector (CHS) address of the partition respectively. However, since CHS is not used often today, I am not going to analyze it here.
Part III is the partition type value. It designate the file system used in this partition. As you can see, this is a very important value. In this example, value 0x06 indicates FAT16, 32MB+. A complete list of file system values can be found here.
Part V of the partition table entry is the starting logical block address (LBA). LBA is the new addressing method used to replace CHS mentioned before. The little-endian value stored here is 0x200, which equals to 512 in decimal. Thus, the starting sector of this partition is 512.
The last part, part VI, indicates the size of this partition in sectors. Value stored in this example is 0x1DDE00. It equals decimal number 1957376, meaning this partition is 1957376 sectors long.
Let’s summarize our findings. From the information above, mainly part III, V and VI, we know that the file system of this partition is FAT16. The starting sector is 512. The size of this partition is 1957376 sectors. We can also calculate the ending sector based on starting sector and size. The ending sector of this partition is:
ending sector = starting sector + size - 1 = 512 + 1957376 - 1 = 1957887
So how accurate is our result? Let us compare our result with the output given by mmls tool in TSK:
Slot Start End Length Description
02: 00:00 0000000512 0001957887 0001957376 DOS FAT16 (0x06)
The two results are perfectly matched.
In summary, the example above illustrated how TSK analyze a simple partition system stored in MBR. In reality, there are more than one partitions other than DOS existed in different machines. Even for DOS partition, the partitioning schema can be much more complex than the example here if multiple partitions are created.