Cannot determnine patition type
Hi there,
I have been trying to learn sleuthkit forensic tools from https://sysforensics.org/2012/02/. I downloaded some iso images to practice on from here: http://www.dftt.org/test14/. It's called iso-dirtree.iso. However when I try: Code:
mmls /home/sansforensics/Desktop/Images/iso-dirtree.iso Code:
Cannot determine partition type. I am VERY new to this, and it would really help if someone explained this to me. Thanks in advance |
Just because it has a ".iso" extension doesn't mean it is IS an iso image. What happens if you run "file /home/sansforensics/Desktop/Images/iso-dirtree.iso" as compare to when you run the "file" command against other .iso files you downloaded?
|
Quote:
Code:
/home/sansforensics/Desktop/Images/iso-dirtree1.iso: broken symbolic link to `/home/sansforensics/Desktop/Images/iso-dirtree1.iso' Code:
sansforensics@siftworkstation:~$ file ~/Downloads/Image.iso |
Renaming a file
Quote:
The only way the description (ie: file extension)is valid is if the file acts like, and is composed of the correct elements, in a useful order. If the file does not act like an .iso, it can't function as one. |
Quote:
|
Quote:
The broken link should be removed with "rm /home/sansforensics/Desktop/Images/iso-dirtree1.iso". You can then redownload the iso and try again. As others have already noted my comment about its name not necessarily proving its purpose is because UNIX/Linux names can be pretty much anything you want. Ideally the extensions people put on names are indicative of what type of file they are but it isn't always the case. In fact you could name a file with multiple dots and/or extensions longer than 3 characters because they aren't truly extensions in the DOS/Windows sense but rather just characters in a file name. In fact you can even use spaces in file names but don't really want to because then you have to remember to put quotes in the reference. So you could create a file with the touch command: touch "this here file name has spaces and it has.dots.to.confuse.people_and_I_end_it_in_.sh_to_annoy_others.sh" If you then ran: ls -l this You'd not see the file because that isn't its name. ls -l this* would show it. ls -l "this here file name has spaces and it has.dots.to.confuse.people_and_I_end_it_in_.sh_to_annoy_others.sh" would of course also show it. |
@MensaWater
Thanks for responding. So if I understand you correctly, Linux is unable to identify what type of file it is (just based on its extension)? The difficulty I am having understanding this is that how does Linux ever identify what type of file it is? Is there something more internal to the file itself than just the extension? |
Linux DID identify the file type. It was a symbolic link. It further told you it was a "broken" link. The output you gave suggests it is broken because it is linked to itself. Possibly removing the file would remove the link on top of the "real" file and you'd see the real file but that isn't guaranteed. Since broken link isn't helping doing the remove would be a good start.
The "file" command looks for "magic number" and/or other details (e.g. permissions on a file) to determine what kind of file it is. (That is to say an ascii file with only read/write permissions has no "magic number" so it will tell you it is "ascii" or "txt" but the same file with execute permissions it might suggest to you is a shell executable (on the theory that you'd not put execute on simple text files). What "file" does NOT do is assume your file is an iso (or a tar or a shell script) just because it is named with .iso (or .tar or .sh). Putting those suffixes on files is done by "convention" not by "requirement". It is perfectly valid to call all your iso files with NO extension or with a .billybob extension or any other suffix you'd like to put on them. If you type "man file" it will give you details on how the "file" command works. Note that "file" will NOT always tell you exactly what you have but it is a good starting point in trying to verify that you have what you think you do. Another clue comes from the "ls" command. Doing "ls -l" on the file you have with .iso will show you more details about it including permissions, owner, group AND what it is linked to. For symbolic links running "ls -lL" will show you those details for the file it is linked to instead of the link file. For example on RHEL systems the /etc/init.d directory where init (startup/shutdown) scripts live is actually a symbolic link: ls -l /etc/init.d lrwxrwxrwx. 1 root root 11 Mar 9 2011 /etc/init.d -> rc.d/init.d The "l" shows the type is a symbolic clink, the rwxrwxrwx shows it is read/write/execute for owner, group and everyone. The the "root root" shows it is owned by root and grouped to root. The "->" shows that it is linked to rd.d/init.d (and since that doesn't start with "/" you know it is relative to /etc so it is linked to /etc/rc.d/init.d). If you then do ls -lL /etc/init.d you get different output which is a list of files in rc.d/init.d (because it turns out that is a directory rather than just a file). You can add the "-d" flag to ls to make it show the permissions on a directory instead of showing you its contents: ls -lLd /etc/init.d shows: drwxr-xr-x. 2 root root 4096 Apr 22 07:55 /etc/init.d Which is the same as you'd get doing the ls on the linked directory: ls -lLd /etc/rc.d/init.d drwxr-xr-x. 2 root root 4096 Apr 22 07:55 /etc/rc.d/init.d The d at start of both of those show it is a direcotyr. The rwxr-x-r-x shows read/write/execute for owner, but only read/execute for group and everyone else. (For directories the "x" doesn't make them executable but instead allows access to items in the directory.) |
pan64 explained above. Use the file command. The details of how this works behind the scenes might be explained by someone but not myself as I have no idea. In a terminal do: touch junk.iso. this creates a file by that name and if you run: find junk.iso you will get:
Quote:
file junk.iso and get the following output: Quote:
Quote:
http://www.linfo.org/file_command.html |
Quote:
|
All times are GMT -5. The time now is 04:12 PM. |