Introduction to Caine CLI

This activity will introduce you to the tools required in order to analyse the partitions that are present on the disk. These tools are: mmls, and fsstat.

They are part of The Sleuth Kit http://www.sleuthkit.org, which is a set of command line tools designed for digital investigations. Before using these tools, please read about them by following these links:

    mmls command

Perform an initial analysis of the disk images /images/diskimg1.dd using mmls.

What is the total size (in Bytes) of the disk image using mmls. Report the size in bytes by using mmls on /images/diskimg1.dd, then looking for the biggest end block reported. Add 1 to that (as the block number starts from 0) and multiply by the block size.
mmls /images/diskimg1.dd size (bytes):
What is the total size (in Bytes) of the disk image. Use ls -l and report the size in bytes.
ls -l /images/diskimg1.dd size (bytes):

Using mmls on /images/diskimg1.dd, discover the partition start offset in bytes, size in bytes, and partition type as recorded in the partition table. When specifying sectors and sizes do not include leading zeros.

What is the size, in blocks, of the largest area of unallocated disk space in /images/diskimg1.dd. Do not type in any leading zeros when writing the answer in the box.
size in blocks:

A disk that is organized using DOS partitions has an MBR in the first 512-byte sector. The MBR contains boot code, a partition table, and a signature value. The boot code contains the instructions that tell the computer how to process the partition table and locate the operating system. The partition table has four entries, each of which can describe a DOS partition.

The first 446 (0x1be) bytes contain boot code. The next 64 (0x40) bytes contain four partition tables (16 bytes each). The last 2 bytes contain signature value of 0xAA55. The signature is reversed (0x55aa) due to endian ordering.

To analyse MBR execute the following command:

    dd if=/images/diskimg1.dd bs=512 skip=0 count=1 | xxd

MBR Analysis:

At offset 440 (0x1b8), for a length of 4 bytes is the Windows Disk signature. This is unique for a drive and can be considered to be a forensic artifact. This value is stored in the registry, under "Mounted Devices", and can be used to match a hard drive to a computer, even if the data has been deleted/wiped.

What is the Windows Disk signature for diskimg1.dd? Use the format "0x********", e.g. "0xffffffff". Keep it in its native endian.

At offset 446, for a length of 1 byte, is a value which states if the partition is active or not, In this example the value is set to "80" which means the partition is active.

At offset 450, for a length of 1 byte, is the partition type indicator. This tells the computer what type of partition to expect, NTFS, FAT32, EXT2, etc. Each partition type has its own unique number. In this case it is 0x04, which indicates FAT16.

At offset 454 the location of the partition is given. These 4 bytes at offset 454 states the number of sectors before the start of the partition from block 0. In this example, the value is 0x3F000000. After endian converstion this is 0x0000003F in hex or 63 in decimal. This means that the partition starts at sector 63.

At offset 458, for a length of 4 bytes, is the size of the first partition, in sectors.

What is the hex value of the partition size? Format you answer using lower case hex and include the leading 0x, e.g. 0x123456.

Conversion of this value will provide the size of the volume in sectors (not bytes or clusters).

This value first needs to be converted from little endian to big endian and then it needs to be converted in to decimal.

What is the big endian order of the partition hex value?? Again use a format like 0x00345678

What is the decimal value of the hex?

Is the decimal value the same as shown in mmls command output?
yes no

Based on the above exercise inspect the MBR of /images/usbimg1.dd.

What is the Windows Disk signature? Again use the format 0x00000000. Keep the number in its native endian.

Is this partition active?
yes no

What is the partition type indicator? Format your answer like 0x00.

What is the partition type? Hint - use Google. hidden fat16 fat16 fat32 Novell Netware NTFS Linux Linux Swap

In which sector does the partition start? Show the data in decimal after taking account of endian conversions.

What is the hex value of the partition size?

What is the big endian order of the partition hex value?

What is the decimal value of the hex?

Is the decimal value same as shown in mmls command output? yes no