Using Sleuth Kit 04 - Misleading result of mmls
01/23/2015
As the previous post showed, mmls is a very useful tool when being used to list all partitions and unallocated space on a disk. It not only shows the starting and ending sector, but also gives the information about the type of the partition. However, this piece of information could be wrong and misleading.
In the previous example, I introduced how the mmls recognizes the type of the file system of a partition. It reads the partition table record, finds the partition type flag, then determine the partition type based on the value. But the value of this flag can be modified manually, which means the mmls tool may provide wrong information about the partition type.
Let us see an experiment. In this experiment, I created a partition on a USB drive then modified the partition table record to mislead the mmls tool. This experiment is done in OpenSUSE OS with the help of YaST2 Partitioner program.
Experiment
First, I took a USB drive and delete its original partitions. Then, I created a new primary partition and formatted it with Ext4 file system.
After this, I used $ mmls /dev/sdb to list the partitions, the result was as below:
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000002047 0000002048 Unallocated
02: 00:00 0000002048 0002105343 0002103296 Linux (0x83)
03: ----- 0002105344 0015950591 0013845248 Unallocated
The partition started at offset 2048 was the one I just created. The description showed that it was a Linux partition, which is expected.
To know more about the file system of the partition, fsstat, a more delicate tool in TSK, was used. The following command was executed to analyze the target partition:
$ fsstat /dev/sdb -o 2048 > result
The result contained lots of information. Here I only listed the first few lines:
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext4
Volume Name:
Volume ID: f8ac58959f337da99a47dfb90fb106fb
The fsstat clearly told us that the file system of this partition was Ext4.
Next, it’s time to hack the partition table. I opened YaST2 Partitioner, selected the partition just created, clicked the “Edit” button. In the following window, there was a pane named “Do not format partition” with a dropdown list. In the dropdown list, I selected “0x07 NTFS”, then continued and finished the edit.
So what happened if I use mmls to check the partition now? Run $ mmls /dev/sdb again to see:
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000002047 0000002048 Unallocated
02: 00:00 0000002048 0002105343 0002103296 NTFS (0x07)
03: ----- 0002105344 0015950591 0013845248 Unallocated
Everything stayed the same, except that the partition was now recognized as with an NTFS file system!
How did this happen? By looking at the partition table in master boot record (MBR), we were able to find out the reason very easily.
This was the partition table record before edit:
0020 2100 830D 0A83 0008 0000 0018 2000
This was the partition table record now:
0020 2100 070D 0A83 0008 0000 0018 2000
So by comparing the two values, we could figure out that the partition type flag was modified from 0x83 to 0x07 by YsST2 Partitioner. Since 0x83 stands for Linux file system and 0x07 stands for NTFS, the mmls tool showed different descriptions based on the different flag values.
So what about fsstat? Was it mislead by the edited flag value as well? Run the $ fsstat /dev/sdb -o 2048 command again:
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext4
Volume Name:
Volume ID: f8ac58959f337da99a47dfb90fb106fb
Luckily, the fsstat tool still determine the file system of the partition correctly, not being affected by the hacking of partition table.
Summary
The file system of partitions listed in mmls result is simply based on the flag value in the partition table. It does NOT necessarily show the real file system of partitions. To determine the file system of a partition, fsstat is a more reliable tool available in The Sleuth Kit.