If you can see this check that

Main Page

Master Boot Record


Introduction to Caine CLI

User:
Password:

Objectives

This is a mini practical on an introduction to the command line Caine tools.

To reset all the check buttons from a previous attempt click here

Question 1: Activity 2: mmls

This activity will introduce you to the tools required in order to analyse the partitions that are present on the disk. These tools are: mmls, and fsstat.

They are part of The Sleuth Kit http://www.sleuthkit.org, which is a set of command line tools designed for digital investigations. Before using these tools, please read about them by following these links:

    mmls command

Perform an initial analysis of the disk images /images/diskimg1.dd using mmls.

What is the total size (in Bytes) of the disk image using mmls. Report the size in bytes by using mmls on /images/diskimg1.dd, then looking for the biggest end block reported. Add 1 to that (as the block number starts from 0) and multiply by the block size.
mmls /images/diskimg1.dd size (bytes):
What is the total size (in Bytes) of the disk image. Use ls -l and report the size in bytes.
ls -l /images/diskimg1.dd size (bytes):

Tests - not attempted
mmls Size UNTESTED
ls -l size in bytes UNTESTED

Using mmls on /images/diskimg1.dd, discover the partition start offset in bytes, size in bytes, and partition type as recorded in the partition table. When specifying sectors and sizes do not include leading zeros.

Metadata slotStart sectorSizePartition Type
000:000
000:001
001:000
Tests - not attempted
000:000 start UNTESTED
000:000 size UNTESTED
000:000 type UNTESTED
000:001 start UNTESTED
000:001 size UNTESTED
000:001 type UNTESTED
001:000 start UNTESTED
001:000 size UNTESTED
001:000 type UNTESTED

What is the size, in blocks, of the largest area of unallocated disk space in /images/diskimg1.dd. Do not type in any leading zeros when writing the answer in the box.
size in blocks:

Tests - not attempted
size in blocks UNTESTED

Question 2: Manual verification of MBR

A disk that is organized using DOS partitions has an MBR in the first 512-byte sector. The MBR contains boot code, a partition table, and a signature value. The boot code contains the instructions that tell the computer how to process the partition table and locate the operating system. The partition table has four entries, each of which can describe a DOS partition.

The first 446 (0x1be) bytes contain boot code. The next 64 (0x40) bytes contain four partition tables (16 bytes each). The last 2 bytes contain signature value of 0xAA55. The signature is reversed (0x55aa) due to endian ordering.

To analyse MBR execute the following command:

    dd if=/images/diskimg1.dd bs=512 skip=0 count=1 | xxd

MBR Analysis:

At offset 440 (0x1b8), for a length of 4 bytes is the Windows Disk signature. This is unique for a drive and can be considered to be a forensic artifact. This value is stored in the registry, under "Mounted Devices", and can be used to match a hard drive to a computer, even if the data has been deleted/wiped.

What is the Windows Disk signature for diskimg1.dd? Use the format "0x********", e.g. "0xffffffff". Keep it in its native endian.

Tests - not attempted
Windows Disk Signature UNTESTED

At offset 446, for a length of 1 byte, is a value which states if the partition is active or not, In this example the value is set to "80" which means the partition is active.

At offset 450, for a length of 1 byte, is the partition type indicator. This tells the computer what type of partition to expect, NTFS, FAT32, EXT2, etc. Each partition type has its own unique number. In this case it is 0x04, which indicates FAT16.

At offset 454 the location of the partition is given. These 4 bytes at offset 454 states the number of sectors before the start of the partition from block 0. In this example, the value is 0x3F000000. After endian converstion this is 0x0000003F in hex or 63 in decimal. This means that the partition starts at sector 63.

At offset 458, for a length of 4 bytes, is the size of the first partition, in sectors.

What is the hex value of the partition size? Format you answer using lower case hex and include the leading 0x, e.g. 0x123456.

Tests - not attempted
Partition Size UNTESTED

Conversion of this value will provide the size of the volume in sectors (not bytes or clusters).

This value first needs to be converted from little endian to big endian and then it needs to be converted in to decimal.

What is the big endian order of the partition hex value?? Again use a format like 0x00345678

Tests - not attempted
Hex big endian UNTESTED

What is the decimal value of the hex?

Tests - not attempted
Decimal big endian UNTESTED

Is the decimal value the same as shown in mmls command output?

Tests - not attempted
Same as mmls? UNTESTED

Based on the above exercise inspect the MBR of /images/usbimg1.dd.

What is the Windows Disk signature? Again use the format 0x00000000. Keep the number in its native endian.

Tests - not attempted
Disk Signature UNTESTED

Is this partition active?

Tests - not attempted
is active? UNTESTED

What is the partition type indicator? Format your answer like 0x00.

Tests - not attempted
Partition Type UNTESTED

What is the partition type? Hint - use Google.

Tests - not attempted
Partition Type UNTESTED

In which sector does the partition start? Show the data in decimal after taking account of endian conversions.

Tests - not attempted
Partition start UNTESTED

What is the hex value of the partition size?

Tests - not attempted
Native partition size UNTESTED

What is the big endian order of the partition hex value?

Tests - not attempted
Big endian size UNTESTED

What is the decimal value of the hex?

Tests - not attempted
Decimal Size UNTESTED

Is the decimal value same as shown in mmls command output?

Tests - not attempted
Same as mmls UNTESTED


Centos 7 intro: Paths | BasicShell | Search
Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net SELinux1 SELinux2 fwall DNS diag Apache1 Apache2 log Mail
Caine 10.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Mock Exam |
Caine 13.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Registry | Mock Exam |
CPD: Cygwin | Paths | Files and head/tail | Find and regex | Sort | Log Analysis
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Kali 2020-4: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7 | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions

Linuxzoo created by Gordon Russell.
@ Copyright 2004-2024 Edinburgh Napier University