Computer Systems Forensic Analysis

Volume Analysis

Procedure.

  • performed automatically by tools most of the time.

    • except if corruption has occurred.

  • steps that must be performed (by software or manually):

    • read partition table.

    • identify the partition layout (start and end sectors).

    • analyze the unallocated space – it may contain data from a previous OS.

Consistency checks

  • does the last partition end at the end of the parent volume?

  • are the partitions consecutive?

  • is there any overlap between partitions?

    • may happen if the partition table is corrupted.

How to recover partitions.

  • they may have been deleted to hinder the investigation.

  • or the partition table may have become corrupted.

  • usually, partitions have a file system, so we can search for their patterns.

    • FAT has the values 0x55 and 0xAA on bytes 510 and 511 of the first sector.

  • gpart tool tries to identify partitions based on patterns: gpart -v disco.dd

  • testdisk is another tool to recover partition tables.

PreviousLogical addressesNextTypes of Partition Tables

Last updated