• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 580
  • Last Modified:

Hidden FileSystem

Hi

How i can know if image has hidden file system ?

is there any command in linux can show that?
0
ang3lus
Asked:
ang3lus
  • 4
  • 3
1 Solution
 
hvillanuCommented:
Hi,

To view devices and file systems use:
#fdisk -l
And to see whats mounted on use:
df -k

You always can use the proper linux tool to see and manage disc/partitions/file systems like
#parted
but depends on your linux dristribution

-hope helps-
0
 
ang3lusAuthor Commented:
Ok

I have image file that has 3 partitions and 3 unallocated spaces. I cut down these partitions + unallocated spaces.

when i checked partition layout of original image and one of unallocated space, it show same output.
What's does these mean????

0
 
hvillanuCommented:
Can you paste the output please.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ang3lusAuthor Commented:
the image output: fdisk -l image.raw
 You must set cylinders.
You can do this from the extra functions menu.

Disk image.raw: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xa8a8a8a8

         Device Boot      Start         End      Blocks   Id  System
image.raw1   *           1          71      564192+   7  HPFS/NTFS
Partition 1 has different physical/logical endings:
     phys=(1023, 7, 55) logical=(70, 61, 55)
Partition 1 does not end on cylinder boundary.
image.raw2              81         118      305235   83  Linux
image.raw3             119         130       91728   a5  FreeBSD

=============
for extracted unallocated space 1

fdisk -l unallocatedspace1.raw

You must set cylinders.
You can do this from the extra functions menu.

Disk unallocatedspace1.raw: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xa8a8a8a8

  Device Boot      Start         End      Blocks   Id  System
unallocatedspace1.raw1   *           1          71      564192+   7  HPFS/NTFS
Partition 1 has different physical/logical endings:
     phys=(1023, 7, 55) logical=(70, 61, 55)
Partition 1 does not end on cylinder boundary.
unallocatedspace1.raw2              81         118      305235   83  Linux
unallocatedspace1.raw3             119         130       91728   a5  FreeBSD


===========
when i used file command it output that unallocated space 2  is ext2 file, does this mean this is a hidden file system ( unallocatedspace2.raw: Linux rev 1.0 ext2 filesystem data (mounted or unclean), UUID=n05e2n11-f803-4n00-a7bb-8901b96f69fg (errors)) but mmls command show it is unallocated space

thanks
0
 
Hugh McCurdyCommented:
I think you are on the right path but I don't see how this approach would find

A file system that wasn't using fdisk (say a DOS floppy image).
A file system on an image that was encrypted.
0
 
hvillanuCommented:
Hi,
Perhaps are links over raw partitions and named with alias, or misconfigured partitions.
So...
Whats the output of fdisk -l
(Without any other args)

and output of df -k

-regards-
0
 
ang3lusAuthor Commented:
df -k image.raw
Filesystem           1K-blocks Used Available Use% Mounted on
/dev/sda1             96418556  14539832  76980884  16% /

===
df -k unallocatedspace1.raw
Filesystem           1K-blocks Used Available Use% Mounted on
/dev/sda1             96418556  14539840  76980876  16% /

====
df -k unallocatedspace2.raw
Filesystem           1K-blocks Used Available Use% Mounted on
/dev/sda1             96418556  14539852  76980864  16% /

====
 df -k unallocatedspace3.raw
Filesystem           1K-blocks Used Available Use% Mounted on
/dev/sda1             96418556  14539836  76980880  16% /

========
i pasted output of fdisk -l  before
0
 
hvillanuCommented:
hi,
As far I can see, this images have same partitions but different name, perhaphs same content.
Could restore it on a virtual machine to find out.

Try
#parted
#cat /etc/fstab
to see whats inside.
-regards-
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now