If you can see this check that

Main Page

Data Acquisition and Verification

Recovery a Deleted Partition
User:
Password:

Partition recovery tools work by assuming that a file system was located in each partition. Fortunately, many filesystems start with a data structure that has a constant "magic number" or signature value. For example, a FAT file system has the values 0x55 and 0xAA in bytes 510 and 511 of the first sector. The partition recovery tools search for these signature values and identify where a partition may have started.

The search mechanism of each tool may vary. Some tools examine each sector and compare it to known signatures. Other tools search only cylinder boundaries because partitions are typically created on cylinder boundaries. Others may use data from the filesystem data structures to learn how big the filesystem is and jump to the end before searching for more known data structures.

An example of a linux tool that cas be used for partition recovery is gpart. This command can identify a number of filesystem types by testing sectors and assessing which filesystem type is the most probable (ref B. Carrier, "File System Forensic Analysis").

Question 1: sigfind

First, lets search the CBarrow.dd image file for signature value 0x55ee.

Execute the command: 

  sigfind -o 510 55aa /images/CBarrow.dd

This should produce the following output: 

Block size: 512  Offset: 510  Signature: 55AA
Block: 0 (-)
Block: 63 (+63)
Block: 92795 (+92732)
Block: 92796 (+1)
Block: 92797 (+1)
Block: 92798 (+1)
Block: 92799 (+1)
Block: 92800 (+1)
Block: 92801 (+1)
Block: 92802 (+1)
Block: 94839 (+2037)
Block: 94855 (+16)
Block: 237724 (+142869)
Block: 259087 (+21363)
Block: 892484 (+633397)
Block: 893170 (+686)
Block: 916360 (+23190)
Block: 917046 (+686)
Block: 2285774 (+1368728)
Block: 2294456 (+8682)
Block: 2409056 (+114600)
Block: 2495066 (+86010)
Block: 3364195 (+869129)
Block: 3473830 (+109635)
Block: 3894911 (+421081)
Block: 3894912 (+1)
Block: 3894975 (+63)
Block: 3894976 (+1)
Block: 3894977 (+1)
Block: 3894981 (+4)
Block: 3894982 (+1)
Block: 3894983 (+1)
Block: 3905831 (+10848)
error reading bytes 4999680

sigfind searches through a file and looks for the hex_signature at a given offset. This can be used to search for lost boot sectors, superblocks, and partition tables.

From the output you can see that there are many matches, but most of them are not relevent to finding the partitions. What we are looking for is the signature to appear in one block (the mbr) and then the signature to appear 63 blocks later (the start of the partition). We can see this pattern in block 0 and block 63. This is the default structure for DOS partitions.

Locate the next occurance of the signature where the signature then repeats 63 blocks later. At which block is there a possible MBR after block 0?

Tests - not attempted
Possible block for mbr UNTESTED

Use the dd and xxd commands to save a hexdump of the MBR to the file "/home/caine/evidence/p2.mbr".

Tests - not attempted
p2.mbr correct UNTESTED

Does this sector contain a partition table?

Tests - not attempted
is partition? UNTESTED

Is this partition active?

Tests - not attempted
is active? UNTESTED

What is the partition type indicator? Format your answer like 0x00.

Tests - not attempted
Partition Type UNTESTED

What is the partition type?

Tests - not attempted
Partition Type UNTESTED

In which sector does the partition start?

Tests - not attempted
Partition start UNTESTED

What is the hex value of the partition size?

Tests - not attempted
Native partition size UNTESTED

What is the big endian order of the partition hex value?

Tests - not attempted
Big endian size UNTESTED

What is the decimal value of the hex?

Tests - not attempted
Decimal Size UNTESTED

Question 2: gpart

In this question we will use gpart to verify our findings.

"gpart" is not installed by default in caine. So do: 

  sudo apt-get install gpart

We will also be writing a repaired partition table to the CBarrow dd file. However CBarrow.dd is read only. You COULD copy this file but that is over 2GB! Instead we will save a great deal of time and space by using a snapshot.

Snapshots allow us to create a device which allows you to write to a read only file by saving the writes to a different file. Sometimes this is called copy on write. In our case we only need to write a tiny amount of data (the partition table) so the snapshot size is going to be tiny.

Firstly create a small data file to hold the changes you will make to CBarrow. 

  sudo dd if=/dev/zero of=/root/changes bs=1024 seek=2047 count=1

Next we will pretend CBarrow.dd and /root/changes are hard drives rather than just files. To do this we use a device loop. This will make CBarrow.dd look like device /dev/loop1, and changes to look like /dev/loop2. 

  sudo losetup /dev/loop1 /images/CBarrow.dd
  sudo losetup /dev/loop2 /root/changes

Now check the size of /dev/loop1. You need the block size. 

  blockdev --getsize /dev/loop1

Use this number in the following command where it says SIZE. This creates the snapshot of extent 0..SIZE, with loop2 being the snapshot and loop1 being the read only data. N 1 just indicates the transfer size in blocks. 

  dmsetup create sandbox --table "0 SIZE snapshot /dev/loop1 /dev/loop2 N 1"

The writable CBarrow device is now available for use as "/dev/mapper/sandbox".

Tests - not attempted
gpart available UNTESTED
loop1 is correct UNTESTED
loop2 is correct UNTESTED
Snapshot created UNTESTED
gpart available UNTESTED

"gpart" is fairly clever, but it does need to know the correct disk geometry to work. On real hardware this is easy to get from the bios, but for image files you need to calculate this from the image itself.

Find out the C H S of the image using fdisk on /dev/mapper/sandbox.
C:
H:
S:

Tests - not attempted
Geometry check UNTESTED

Run gpart and fix the disk. The command is as follows. Remember to replace CYLINDER HEADS and SECTORS with the values from above. 

  sudo gpart -gv -C CYLINDER,HEADS,SECTORS /dev/mapper/sandbox -W /dev/mapper/sandbox

Verify you have succeeded by using mmls.

Tests - not attempted
Second partition restored UNTESTED

Question 3: Cleanup

Cleanup all the loops and snapshots by doing the following: 

  sudo dmsetup remove sandbox
  sudo losetup -d /dev/loop1
  sudo losetup -d /dev/loop2
Tests - not attempted
snapshot removed UNTESTED
loops deleted UNTESTED
Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2 MySQL1 MySQL2
Caine 2.0: Autopsy Cli PartRec Files FileRec Browser FFoxForensics Carving
Caine 2.5.1: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2012 Gordon Russell. All rights reserved.