If you can see this check that

Main Page

Caine Intro to the CLI


Introduction to Caine CLI

User:
Password:

Objectives

This is a mini practical on an introduction to the command line Caine tools.

Question 1: Activity 2: mmls

This activity will introduce you to the tools required in order to analyse the partitions that are present on the disk. These tools are: mmls, and fsstat.

They are part of The Sleuth Kit http://www.sleuthkit.org, which is a set of command line tools designed for digital investigations. Before using these tools, please read about them by following these links:

    mmls command

Perform an initial analysis of the disk images /images/diskimg1.dd using mmls.

What is the total size (in Bytes) of the disk image using mmls. Report the size in bytes by using mmls on /images/diskimg1.dd, then looking for the biggest end block reported. Add 1 to that (as the block number starts from 0) and multiply by the block size.
mmls /images/diskimg1.dd size (bytes):
What is the total size (in Bytes) of the disk image. Use ls -l and report the size in bytes.
ls -l /images/diskimg1.dd size (bytes):

Tests - not attempted
mmls Size UNTESTED
ls -l size in bytes UNTESTED

Using mmls on /images/diskimg1.dd, discover the partition start offset in bytes, size in bytes, and partition type as recorded in the partition table. When specifying sectors and sizes do not include leading zeros.

Metadata slotStart sectorSizePartition Type
00:00
00:01
01:00
Tests - not attempted
00:00 start UNTESTED
00:00 size UNTESTED
00:00 type UNTESTED
00:01 start UNTESTED
00:01 size UNTESTED
00:01 type UNTESTED
01:00 start UNTESTED
01:00 size UNTESTED
01:00 type UNTESTED

What is the block size of the largest area of unallocated disk space in /images/diskimg1.dd. Do not type in any leading zeros when writing the answer in the box.
Block size:

Tests - not attempted
Block size UNTESTED

Question 2: Manual verification of MBR

A disk that is organized using DOS partitions has an MBR in the first 512-byte sector. The MBR contains boot code, a partition table, and a signature value. The boot code contains the instructions that tell the computer how to process the partition table and locate the operating system. The partition table has four entries, each of which can describe a DOS partition.

The first 446 (0x1be) bytes contain boot code. The next 64 (0x40) bytes contain four partition tables (16 bytes each). The last 2 bytes contain signature value of 0xAA55. The signature is reversed (0x55aa) due to endian ordering.

To analyse MBR execute the following command:

    dd if=/images/diskimg1.dd bs=512 skip=0 count=1 | xxd

MBR Analysis:

At offset 440 (0x1b8), for a length of 4 bytes is the Windows Disk signature. This is unique for a drive and can be considered to be a forensic artifact. This value is stored in the registry, under "Mounted Devices", and can be used to match a hard drive to a computer, even if the data has been deleted/wiped.

What is the Windows Disk signature for diskimg1.dd? Use the format "0x********", e.g. "0xffffffff". Keep it in its native endian.

Tests - not attempted
Windows Disk Signature UNTESTED

At offset 446, for a length of 1 byte, is a value which states if the partition is active or not, In this example the value is set to "80" which means the partition is active.

At offset 450, for a length of 1 byte, is the partition type indicator. This tells the computer what type of partition to expect, NTFS, FAT32, EXT2, etc. Each partition type has its own unique number. In this case it is 0x04, which indicates FAT16.

At offset 454 the location of the partition is given. These 4 bytes at offset 454 states the number of sectors before the start of the partition from block 0. In this example, the value is 0x3F000000. After endian converstion this is 0x0000003F in hex or 63 in decimal. This means that the partition starts at sector 63.

At offset 458, for a length of 4 bytes, is the size of the first partition, in sectors.

What is the hex value of the partition size? Format you answer using lower case hex and include the leading 0x, e.g. 0x123456.

Tests - not attempted
Partition Size UNTESTED

Conversion of this value will provide the size of the volume in sectors (not bytes or clusters).

This value first needs to be converted from little endian to big endian and then it needs to be converted in to decimal.

What is the big endian order of the partition hex value?? Again use a format like 0x00345678

Tests - not attempted
Hex big endian UNTESTED

What is the decimal value of the hex?

Tests - not attempted
Decimal big endian UNTESTED

Is the decimal value the same as shown in mmls command output?

Tests - not attempted
Same as mmls? UNTESTED

Based on the above exercise inspect the MBR of /images/usbimg1.dd.

What is the Windows Disk signature? Again use the format 0x00000000. Keep the number in its native endian.

Tests - not attempted
Disk Signature UNTESTED

Is this partition active?

Tests - not attempted
is active? UNTESTED

What is the partition type indicator? Format your answer like 0x00.

Tests - not attempted
Partition Type UNTESTED

What is the partition type? Hint - use Google.

Tests - not attempted
Partition Type UNTESTED

In which sector does the partition start? Show the data in decimal after taking account of endian conversions.

Tests - not attempted
Partition start UNTESTED

What is the hex value of the partition size?

Tests - not attempted
Native partition size UNTESTED

What is the big endian order of the partition hex value?

Tests - not attempted
Big endian size UNTESTED

What is the decimal value of the hex?

Tests - not attempted
Decimal Size UNTESTED

Is the decimal value same as shown in mmls command output?

Tests - not attempted
Same as mmls UNTESTED


Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2
Caine 6.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7 | 8a | 8b | WebBrowserA | WebBrowserB | Registry | Browser
Digital Investigation: Editing | Email | Logs | Strength
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2014 Gordon Russell. All rights reserved.