Home > OS News > File System Forensic Analysis: PC-based Partitions File System Forensic Analysis: PC-based Partitions Eugenia Loli 2005-05-16 OS News 12 Comments This chapter dives into the details of the partition systems used in personal computers from DOS partitions, to Apple partitions, to removable media. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 12 Comments 2005-05-16 5:38 am hi, Definitely looks like an intersting read, but the excerpts give no idea whether this is a hands-on book, or not. They just *had* to pick the most boring, purely theoretical section of the book, didn’t they? lol… For instance, what sort of tools/techniques are covered? Commercial ones, like Encase? Or OSS ones, like TCT, Autospy, etc, or even commercial *nix ones like S.M.A.R.T. ? cya, Victor 2005-05-16 6:13 am hi, I just read the book more carefully, and I only just noticed who the author is – Brian Carrier. I can’t believe that I didn’t notice that before – he’s the guy who wrote TSK, and I’ve also seen him mentioned on honeypot.org, security-forums (i think), and also other security/forensics places on the net. Defintely worth checking out, and I might even buy it now, even though I now have the ebook…hehehe bye, Victor 2005-05-16 9:07 am WOW! I admit that some of that stuff went over my non-tech-geek head. Nonetheless, it explained some things about “partitioning” that I’ve always wondered about. Am I wrong, does the author seem to find Apple’s scheme superior to Windows? Uh oh, fanbois of either camp are soon to follow… 2005-05-16 11:33 am That there is no standard for filesystems. Is that also true of BIOS? 2005-05-16 12:04 pm Partitions are not filesystems. 🙂 A filesystem in a x86 box usually resides in a partition, but one filesystem could also be composed of several different partitions in the case of Unix-like filesystems that have a mount command. 2005-05-16 12:11 pm A Type 0x7 partition is also used to identify an OS/2 HPFS partition. This is interesting, since NTFS came after HPFS, and since Microsoft new damn well that using the same partition type number would create a conflict (HPFS was mainly developed by Microsoft’s Gordon Letwin, so MS knew quite well that the type was already in use by its direct rival). 2005-05-16 12:14 pm http://www.win.tue.nl/~aeb/par titions/partition_types-1.html 2005-05-16 12:16 pm http://www.win.tue.nl/~aeb/partitions/partition_types-1.html If this one comes thorugh incorrectly again, I’m giving up. Damned software should allow for post-comment editing. 2005-05-16 3:12 pm *humble bow* Thanks for the calibration. How easily the lack of understanding is revealed in careless terminology usage… 2005-05-16 3:35 pm This is interesting, since NTFS came after HPFS, and since Microsoft new damn well that using the same partition type number would create a conflict (HPFS was mainly developed by Microsoft’s Gordon Letwin, so MS knew quite well that the type was already in use by its direct rival). I seem to recall that at least NT 3.51 had some HPFS compatibility built in becasue fo the initial push to provide OS/2 compatibility. I am pretty familiar with Windows partitioning and partitioning in general what would be more useful to me at least would be a comparison of different Unix partitioning schemes. 2005-05-16 6:40 pm Cool, BeOS and BFS doesn’t exits…. let’s break some laws and get away free… Cops won’t be able to decrypt the filesystem!! LMAO. 2005-05-16 6:49 pm Sorry if I came across as harsh — I meant to post that as a kind of clarifying statement, not as a formal correction.