0% found this document useful (0 votes)

122 views

Linux Forensics: Dr. Phil Polstra @ppolstra PHD, Cissp, Ceh

linux, how to

Uploaded by

scrapy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

122 views

Linux Forensics: Dr. Phil Polstra @ppolstra PHD, Cissp, Ceh

linux, how to

Uploaded by

scrapy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 7

Linux Forensics

Dr. Phil Polstra @ppolstra

PhD, CISSP, CEH http://philpolstra.com
Certifications:
http://www.securitytube-training.com

Pentester Academy: http://www.PentesterAcademy.com

SecurityTube.net
Mounting Images: MBR Basics

SecurityTube.net
High Level Process

Call Dead Yes Acquire

Placed Incident? Yes Live Analysis
Analysis? Images

No No

Lessons Dead
Learned Write Reports
Analysis

SecurityTube.net
Master Boot Record

Ancient standard (from the 80s)

Allows up to four partition

At most one partition can be active (bootable)

Some partitions may be extended partitions

Can contain multiple partitions inside them
Partitions are stored in a linked list

Being replaced with GUID partition tables

SecurityTube.net
Master Boot Record Format
Offset Length Item

0 (0x00) 446 (0x1BE) Boot code

446 (0x1BE) 16 (0x10) First partition

462 (0x1CE) 16 (0x10) Second partition

478 (0x1DE) 16 (0x10) Third partition

494 (0x1EE) 16 (0x10) Fourth partition

510 (0x1FE) 2 (0x2) Signature 0x55 0xAA

SecurityTube.net
Partition Record Format
Offset Length Item
0 (0x00 1 (0x01) Active flag (0x80 = bootable)
1 (0x01) 1 (0x01) Start head
2 (0x02) 1 (0x01) Start sector (bits 0-5); upper bits of cylinder (6-
7)
3 (0x03) 1 (0x01) Start cylinder lowest 8 bits
4 (0x04) 1 (0x01) Partition type code (0x83 = Linux)
5 (0x05) 1 (0x01) End head
6 (0x06) 1 (0x01) End sector (bits 0-5); upper bits of cylinder (6-
7)
7 (0x07) 1 (0x01) End cylinder lowest 8 bits
8 (0x08) 4 (0x04) Sectors preceding partition (little endian)
12 (0x0C) 4 (0x04) Sectors in partition
SecurityTube.net
Mounting an Image with a MBR

SecurityTube.net

n4 3.8.30 Ecn4 XMLRDT
No ratings yet
n4 3.8.30 Ecn4 XMLRDT
138 pages
Master Boot Record - Wikipedia, The Free Encyclopedia
No ratings yet
Master Boot Record - Wikipedia, The Free Encyclopedia
21 pages
Master Boot Record (MBR) Explained - IONOS
No ratings yet
Master Boot Record (MBR) Explained - IONOS
9 pages
Master Boot Record
No ratings yet
Master Boot Record
12 pages
Master Boot Record: Usman Mansoor Junaid Ali Husnain Manzoor Fahad Ali
No ratings yet
Master Boot Record: Usman Mansoor Junaid Ali Husnain Manzoor Fahad Ali
10 pages
Analysing The MBR With Hex Workshop
No ratings yet
Analysing The MBR With Hex Workshop
25 pages
Boot Loaders
100% (1)
Boot Loaders
54 pages
BootingMultipleOS
No ratings yet
BootingMultipleOS
21 pages
Lesson 12 System Partition
No ratings yet
Lesson 12 System Partition
13 pages
Hard Drive Partitioning Knowledge
100% (1)
Hard Drive Partitioning Knowledge
222 pages
Master Boot Record and Volume Boot Record Notes
No ratings yet
Master Boot Record and Volume Boot Record Notes
11 pages
Analyzing Master Boot Record For Forensic Investig
No ratings yet
Analyzing Master Boot Record For Forensic Investig
6 pages
lab 3
No ratings yet
lab 3
18 pages
MBR GPT
No ratings yet
MBR GPT
20 pages
MBR GPT Cheatsheet
No ratings yet
MBR GPT Cheatsheet
3 pages
MBR GPT Cheatsheet
No ratings yet
MBR GPT Cheatsheet
3 pages
Boot Process
No ratings yet
Boot Process
3 pages
Master Boot Record
No ratings yet
Master Boot Record
6 pages
Linux Booting Process
No ratings yet
Linux Booting Process
16 pages
#9 GPT Vs MBR Boot Records
No ratings yet
#9 GPT Vs MBR Boot Records
13 pages
Secuencias de Arranque en Windows Dual Boot
No ratings yet
Secuencias de Arranque en Windows Dual Boot
8 pages
Ghffar, Hamed, Fahim
No ratings yet
Ghffar, Hamed, Fahim
8 pages
Boot Loaders - An Introduction
100% (6)
Boot Loaders - An Introduction
50 pages
Linux Unit 3.1
No ratings yet
Linux Unit 3.1
10 pages
Ch+9+ +Implementing+Mass+Storage
No ratings yet
Ch+9+ +Implementing+Mass+Storage
17 pages
Master Boot Record
No ratings yet
Master Boot Record
7 pages
MBR & GPT
No ratings yet
MBR & GPT
2 pages
Computer Proble-WPS Office
No ratings yet
Computer Proble-WPS Office
5 pages
CSN08101 Digital Forensics: Lecture 5A: PC Boot Sequence and Storage Devices
No ratings yet
CSN08101 Digital Forensics: Lecture 5A: PC Boot Sequence and Storage Devices
45 pages
GPT VS MBR
No ratings yet
GPT VS MBR
9 pages
8 Free Tools To Backup and Restore The Master Boot Record
No ratings yet
8 Free Tools To Backup and Restore The Master Boot Record
8 pages
Booting Process
No ratings yet
Booting Process
4 pages
MBR Analysis #1 Completed
No ratings yet
MBR Analysis #1 Completed
2 pages
partition
No ratings yet
partition
10 pages
Learn Linux, 101 Boot Managers
No ratings yet
Learn Linux, 101 Boot Managers
35 pages
DF Lesson7
No ratings yet
DF Lesson7
40 pages
Diydatarecovery - NL MBRtool Manual
No ratings yet
Diydatarecovery - NL MBRtool Manual
14 pages
Example
No ratings yet
Example
21 pages
Veritas Brief Resume and Basic Steps
No ratings yet
Veritas Brief Resume and Basic Steps
90 pages
Difference Between GPT and MBR When Partitioning A Drive?
No ratings yet
Difference Between GPT and MBR When Partitioning A Drive?
12 pages
Uefi Vs Bios Part2
No ratings yet
Uefi Vs Bios Part2
7 pages
Linux - Disk management
No ratings yet
Linux - Disk management
8 pages
Booting Up: 12-Mar-19 Boot - PPT 1
No ratings yet
Booting Up: 12-Mar-19 Boot - PPT 1
14 pages
Imp - Notes 015 - MBR Vs GPT - What's The Difference Between An MBR Partition and A GPT Partiti
No ratings yet
Imp - Notes 015 - MBR Vs GPT - What's The Difference Between An MBR Partition and A GPT Partiti
6 pages
Booting Process in Linux and Windows
No ratings yet
Booting Process in Linux and Windows
5 pages
UEFI, BIOS, GPT, MBR - What's The Difference - Fossbytes
No ratings yet
UEFI, BIOS, GPT, MBR - What's The Difference - Fossbytes
6 pages
GUID Partition Table PDF
No ratings yet
GUID Partition Table PDF
11 pages
How To Use Command Prompt To Fix Issues With Your PC's Boot Records PDF
No ratings yet
How To Use Command Prompt To Fix Issues With Your PC's Boot Records PDF
13 pages
Reading Boot Parameters
100% (2)
Reading Boot Parameters
5 pages
Session-6-MANAGING PARTITIONS & FILE SYSTEMS
No ratings yet
Session-6-MANAGING PARTITIONS & FILE SYSTEMS
26 pages
Windows 7 Volume Boot Record (VBR)
No ratings yet
Windows 7 Volume Boot Record (VBR)
9 pages
1 PC Introduction
No ratings yet
1 PC Introduction
40 pages
Linux 027
No ratings yet
Linux 027
8 pages
Info Security Slides 1
No ratings yet
Info Security Slides 1
107 pages
Partman Manual
No ratings yet
Partman Manual
15 pages
GPT & MBR Disk
No ratings yet
GPT & MBR Disk
5 pages
FAT32 File Structure
No ratings yet
FAT32 File Structure
65 pages
Readme
No ratings yet
Readme
4 pages
4.MemoryManagement
No ratings yet
4.MemoryManagement
68 pages
Introduction To Suse Linux Enterprise Server (Sles) : Opensap
No ratings yet
Introduction To Suse Linux Enterprise Server (Sles) : Opensap
19 pages
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation
From Everand
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation
Bruce Dang
No ratings yet
Full Stack Development - CODINIUS
No ratings yet
Full Stack Development - CODINIUS
15 pages
Smps Based Integrated Power Supply: Chapter - 1
No ratings yet
Smps Based Integrated Power Supply: Chapter - 1
3 pages
C Language Roadmap
No ratings yet
C Language Roadmap
3 pages
DCS Specs
No ratings yet
DCS Specs
8 pages
LED LCD Monitor (LED Monitor ) : Owner'S Manual
No ratings yet
LED LCD Monitor (LED Monitor ) : Owner'S Manual
21 pages
Software Classification Explanation
100% (1)
Software Classification Explanation
9 pages
INFO - PanelView 660 y Logix 5550
No ratings yet
INFO - PanelView 660 y Logix 5550
6 pages
Perations Anual: Project or System Name
No ratings yet
Perations Anual: Project or System Name
13 pages
How To Interface ADXL345 Accelerometer With Arduino UNO
No ratings yet
How To Interface ADXL345 Accelerometer With Arduino UNO
16 pages
Unit 3
No ratings yet
Unit 3
22 pages
(2)DSP LAB OPEN ENDED(2)-1
No ratings yet
(2)DSP LAB OPEN ENDED(2)-1
9 pages
MP2307 r1.9
No ratings yet
MP2307 r1.9
12 pages
Q-PLM Enovia V6 + CT5
No ratings yet
Q-PLM Enovia V6 + CT5
128 pages
Eclipse Shortcuts Win 4.9
No ratings yet
Eclipse Shortcuts Win 4.9
2 pages
1301 FESTO Product Catalog
No ratings yet
1301 FESTO Product Catalog
5 pages
Thin Film Transistor Liquid Crystal Display
No ratings yet
Thin Film Transistor Liquid Crystal Display
20 pages
WinIDEA Manual
No ratings yet
WinIDEA Manual
390 pages
CSIT 413 - Session 1
No ratings yet
CSIT 413 - Session 1
53 pages
TPS55340-Q1 Integrated 5-A, Wide Input Range Boost, SEPIC, or Flyback DC/DC Converter
No ratings yet
TPS55340-Q1 Integrated 5-A, Wide Input Range Boost, SEPIC, or Flyback DC/DC Converter
37 pages
CS 3210 Operating System Design Fall 2003, MW 12-1
No ratings yet
CS 3210 Operating System Design Fall 2003, MW 12-1
6 pages
Jinan Huamao Technology Co., LTD.: HM Bluetooth Module Datasheet
No ratings yet
Jinan Huamao Technology Co., LTD.: HM Bluetooth Module Datasheet
56 pages
Engineering Design Lab Exercise 2 Nios II Processor Software Development
No ratings yet
Engineering Design Lab Exercise 2 Nios II Processor Software Development
6 pages
PCS 9611S
No ratings yet
PCS 9611S
5 pages
Preview Simulasi Rakit PC: No # Item Jumlah Harga Satuan Subtotal Processor
No ratings yet
Preview Simulasi Rakit PC: No # Item Jumlah Harga Satuan Subtotal Processor
1 page
Final Date Sheet End Term Theory Exam Jan Feb2022
No ratings yet
Final Date Sheet End Term Theory Exam Jan Feb2022
6 pages
Gopala Krishna Reddy - Devops Engineer
No ratings yet
Gopala Krishna Reddy - Devops Engineer
2 pages
Lecture #02, Microprocessor
No ratings yet
Lecture #02, Microprocessor
8 pages
PTN5100 PHY Programming Guide V0.1
No ratings yet
PTN5100 PHY Programming Guide V0.1
103 pages
An 951
No ratings yet
An 951
20 pages

Linux Forensics: Dr. Phil Polstra @ppolstra PHD, Cissp, Ceh

Uploaded by

Linux Forensics: Dr. Phil Polstra @ppolstra PHD, Cissp, Ceh

Uploaded by

Linux Forensics

Dr. Phil Polstra @ppolstra

Pentester Academy: http://www.PentesterAcademy.com

Call Dead Yes Acquire

Ancient standard (from the 80s)

Allows up to four partition

At most one partition can be active (bootable)

Some partitions may be extended partitions

Being replaced with GUID partition tables

0 (0x00) 446 (0x1BE) Boot code

446 (0x1BE) 16 (0x10) First partition

462 (0x1CE) 16 (0x10) Second partition

478 (0x1DE) 16 (0x10) Third partition

494 (0x1EE) 16 (0x10) Fourth partition

510 (0x1FE) 2 (0x2) Signature 0x55 0xAA

You might also like