Detecting and mounting partition type from Stream

Jul 12, 2009 at 8:53 PM
Edited Jul 12, 2009 at 8:56 PM

Hi,

I've been playing with DiscUtils using (some of) the disc images from the Digital Forensics Tool Testing Images available on Sourceforge.

Is there a simple method of determining what the file system of a partition in a stream is?

For example, whilst the following works, and bpt.Partitions.Count shows that there are 4 partitions:

 

using (FileStream ddFileStream = File.Open(file, FileMode.Open, FileAccess.Read))
{
      Geometry geometry = BiosPartitionTable.DetectGeometry(ddFileStream);

      BiosPartitionTable bpt = new BiosPartitionTable(ddFileStream, geometry);

      MessageBox.Show(bpt.Partitions.Count.ToString());
}

 

The BiosPartitionInfo TypeAsString is "UnKnown", and the GuidType is empty. If I create a new NtfsFileSystem object, then everything works fine, even as far as retrieving some of the jpeg image files from one of the images. The reason I'm trying to do this, is that I could then write a Factory class to create instances of the relevant IFileSystem whenever I load in a file.

My next question then, is how would you go about mounting a particular partition, or accessing the contents of a particular partition.

This library is amazingly well put together :)

cheers,

Stu

Also as a side note, the first of those disc images has an extended partition table, and loading it in using the above code throws an IOException:

"Unable to complete read of 512 bytes"

at DiscUtils.Utilities.ReadFully(Stream stream, Int32 count)
   at DiscUtils.Partitions.BiosExtendedPartitionTable.GetPartitions()
   at DiscUtils.Partitions.BiosPartitionTable.GetExtendedRecords()
   at DiscUtils.Partitions.BiosPartitionTable.GetAllRecords()
   at DiscUtils.Partitions.BiosPartitionTable.get_Partitions()

Coordinator
Jul 13, 2009 at 7:29 PM

Hi Stu,

There's no easy way to detect file systems just from looking at a partition's stream, you're looking at heuristics since there's no partition table to guide you.

You can probably do a reasonable job by looking at the first few bytes of the stream though.  8 bytes (starting from the 3rd byte) are the ASCII 'OEMID' in the Bios Parameter Block.  This can be a fairly good hint as to the file system within the partition if you're looking at FAT and NTFS (though not guaranteed), since Microsoft document it as the Operating System that created the partition, rather than the type of the file system.

One way to actually mount the partition (assuming you literally mean access it from the local OS) is to create a new virtual disk (VHD) large enough for the partition (with a bit of spare space) - then initialize the partition table and create a partition large enough for the partition.  Finally, copy the partition contents into that partition.  You (hopefully) can then mount the VHD using a VHD device driver (such as vhdmount: http://technet.microsoft.com/en-us/library/cc708295(WS.10).aspx).

I'll take a look at that extended partition table example - looks like the code in DiscUtils may be broken.

 

Thanks.

Ken

Jul 15, 2009 at 7:38 PM

I'd best find my copy of File System Forensic Analysis then :)

What I meant about mounting a particular partition was, say you have a raw disc image with four partitions, can you use DiscUtils to access each individual partition as a seperate entity? That way you could enumerate through the contents of each partition in some sort of windows explorer type interface*. I will take a look at vhdmount though, it looks interesting.

*I'm essentially talking about using DiscUtils as the starting point for some sort of digital forensics tool, but I realise that (probably) wasn't what you had in mind for the library.

Coordinator
Jul 15, 2009 at 10:08 PM

If you have an actual disk image (including a valid partition table), then the BiosType and GuidType fields of PartitionInfo should give you a good hint as to the contents of the partition - if they're both junk, then it's probably not a valid disk image.  BiosType should work for disks with traditional partition structures, whilst GuidType works for the newer GPT-style disks.  You can find tables of BiosType values on web, for example: http://www.viralpatel.net/taj/tutorial/partition_table.php

An explorer-like mechanism like you describe should be possible - just enumerate the partitions, then open the partition streams, using PartitionInfo.Open and interpret using the appropriate file system.

DiscUtils doesn't try to cope with the situations that the Digital Forensics Tool test images exercise (such as having two file systems in a single partition), so it's probably not so useful for cases where data is being deliberately masked and stored outside of the normal file system structures.

 

Cheers,

Ken