Forensics
Re: Disk drive without a partition table? Nov 22 2006 07:26PM
Greg Freemyer (greg freemyer gmail com)
Brian,

Thanks for the pointer.

gpart found my missing partition and I now have it mounted.

Greg

On 11/20/06, Brian Carrier <carrier (at) digital-evidence (dot) org [email concealed]> wrote:
> You could use tools such as gpart or testdisk to search the drive for
> file system signatures to determine if there are file systems on the
> disk and where they begin / end.
>
>
> brian
>
> Greg Freemyer wrote:
> > Brian,
> >
> > Maybe you could help me out an another issue.
> >
> > I have a 80MB drive last used in 1997 or so that is believed to have
> > Linux on it.
> >
> > Looking at sector 0 of the drive I have the 55AA signature at the end,
> > so I'm pretty sure it is a valid non-corrupted drive. The trouble is
> > I have non-standard boot sector code and there is not a traditional
> > partition table present. I have the sluethkit and tried mmls, but
> > none of the partition tables it supports appear to be present either.
> >
> > Looking through the image with a hex editor it appears to have a
> > compressed linux kernel that it loads in first and I don't know what
> > happens after that. Reminds me of how a bootable Linux CD is setup
> > today, but I'm not real familiar with the details of that.
> >
> > I've tried to restore it to a properly setup clone. ie. Same
> > Cylinders/Heads/Sectors I can't get the clone to boot at this point,
> > but the oldest machine I've tried is a PII. Maybe an older PC would
> > work (assuming the architecture is Intel. I don't know that.)
> >
> > Do you have any thoughts or tools that might help me get access to
> > this drive? Or at least determine if the drive is uncorrupted vs.
> > corrupted.
>

--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus