Hidden FileSystem

Hi

How i can know if image has hidden file system ?

is there any command in linux can show that?
ang3lusAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hvillanuCommented:
Hi,

To view devices and file systems use:
#fdisk -l
And to see whats mounted on use:
df -k

You always can use the proper linux tool to see and manage disc/partitions/file systems like
#parted
but depends on your linux dristribution

-hope helps-
0
ang3lusAuthor Commented:
Ok

I have image file that has 3 partitions and 3 unallocated spaces. I cut down these partitions + unallocated spaces.

when i checked partition layout of original image and one of unallocated space, it show same output.
What's does these mean????

0
hvillanuCommented:
Can you paste the output please.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

ang3lusAuthor Commented:
the image output: fdisk -l image.raw
 You must set cylinders.
You can do this from the extra functions menu.

Disk image.raw: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xa8a8a8a8

         Device Boot      Start         End      Blocks   Id  System
image.raw1   *           1          71      564192+   7  HPFS/NTFS
Partition 1 has different physical/logical endings:
     phys=(1023, 7, 55) logical=(70, 61, 55)
Partition 1 does not end on cylinder boundary.
image.raw2              81         118      305235   83  Linux
image.raw3             119         130       91728   a5  FreeBSD

=============
for extracted unallocated space 1

fdisk -l unallocatedspace1.raw

You must set cylinders.
You can do this from the extra functions menu.

Disk unallocatedspace1.raw: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xa8a8a8a8

  Device Boot      Start         End      Blocks   Id  System
unallocatedspace1.raw1   *           1          71      564192+   7  HPFS/NTFS
Partition 1 has different physical/logical endings:
     phys=(1023, 7, 55) logical=(70, 61, 55)
Partition 1 does not end on cylinder boundary.
unallocatedspace1.raw2              81         118      305235   83  Linux
unallocatedspace1.raw3             119         130       91728   a5  FreeBSD


===========
when i used file command it output that unallocated space 2  is ext2 file, does this mean this is a hidden file system ( unallocatedspace2.raw: Linux rev 1.0 ext2 filesystem data (mounted or unclean), UUID=n05e2n11-f803-4n00-a7bb-8901b96f69fg (errors)) but mmls command show it is unallocated space

thanks
0
Hugh McCurdyCommented:
I think you are on the right path but I don't see how this approach would find

A file system that wasn't using fdisk (say a DOS floppy image).
A file system on an image that was encrypted.
0
hvillanuCommented:
Hi,
Perhaps are links over raw partitions and named with alias, or misconfigured partitions.
So...
Whats the output of fdisk -l
(Without any other args)

and output of df -k

-regards-
0
ang3lusAuthor Commented:
df -k image.raw
Filesystem           1K-blocks Used Available Use% Mounted on
/dev/sda1             96418556  14539832  76980884  16% /

===
df -k unallocatedspace1.raw
Filesystem           1K-blocks Used Available Use% Mounted on
/dev/sda1             96418556  14539840  76980876  16% /

====
df -k unallocatedspace2.raw
Filesystem           1K-blocks Used Available Use% Mounted on
/dev/sda1             96418556  14539852  76980864  16% /

====
 df -k unallocatedspace3.raw
Filesystem           1K-blocks Used Available Use% Mounted on
/dev/sda1             96418556  14539836  76980880  16% /

========
i pasted output of fdisk -l  before
0
hvillanuCommented:
hi,
As far I can see, this images have same partitions but different name, perhaphs same content.
Could restore it on a virtual machine to find out.

Try
#parted
#cat /etc/fstab
to see whats inside.
-regards-
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.