Cannot determnine patition type
 

Hi there,

I have been trying to learn sleuthkit forensic tools from https://sysforensics.org/2012/02/. I downloaded some iso images to practice on from here: http://www.dftt.org/test14/. It's called iso-dirtree.iso.

However when I try:

it responds:

What does it mean that it cannot determine the partition type? Also, how can I fix this?

I am VERY new to this, and it would really help if someone explained this to me.
Thanks in advance

Just because it has a ".iso" extension doesn't mean it is IS an iso image. What happens if you run "file /home/sansforensics/Desktop/Images/iso-dirtree.iso" as compare to when you run the "file" command against other .iso files you downloaded?

Ok, I tried your suggestion. This is what I got:

Then I tried it on another .iso file and I got the following:

Also, what do you mean when you say "just because it has an .iso extension doesn't mean it is an iso image"? What else could it be?

Renaming a file
 

One can incorrectly add a meaningless file extension by renaming a file.

The only way the description (ie: file extension)is valid is if the file acts like, and is composed of the correct elements, in a useful order.

If the file does not act like an .iso, it can't function as one.

In the MS Windows world the extension has meaning because it is used to specify the type of the file. In the unix/linux world that extension is not used to determine anything therefore you are allowed to modify it as you like. So the extension .iso may mean that is is a disk image, but may not mean that. (You can even rename an executable or an excel sheet to anything.iso) - you are allowed to follow any kind of convention to name your files. To identify a file type in linux you need to use the command file. see man file about the usage.

OK your first file isn't actually an iso - it says it is a broken link but it shows it is linked to itself which is odd.


The broken link should be removed with "rm /home/sansforensics/Desktop/Images/iso-dirtree1.iso". You can then redownload the iso and try again.


As others have already noted my comment about its name not necessarily proving its purpose is because UNIX/Linux names can be pretty much anything you want. Ideally the extensions people put on names are indicative of what type of file they are but it isn't always the case. In fact you could name a file with multiple dots and/or extensions longer than 3 characters because they aren't truly extensions in the DOS/Windows sense but rather just characters in a file name. In fact you can even use spaces in file names but don't really want to because then you have to remember to put quotes in the reference. So you could create a file with the touch command:
touch "this here file name has spaces and it has.dots.to.confuse.people_and_I_end_it_in_.sh_to_annoy_others.sh"
If you then ran:
ls -l this
You'd not see the file because that isn't its name.
ls -l this* would show it.
ls -l "this here file name has spaces and it has.dots.to.confuse.people_and_I_end_it_in_.sh_to_annoy_others.sh" would of course also show it.

@MensaWater

Thanks for responding.

So if I understand you correctly, Linux is unable to identify what type of file it is (just based on its extension)?

The difficulty I am having understanding this is that how does Linux ever identify what type of file it is? Is there something more internal to the file itself than just the extension?

Linux DID identify the file type. It was a symbolic link. It further told you it was a "broken" link. The output you gave suggests it is broken because it is linked to itself. Possibly removing the file would remove the link on top of the "real" file and you'd see the real file but that isn't guaranteed. Since broken link isn't helping doing the remove would be a good start.

The "file" command looks for "magic number" and/or other details (e.g. permissions on a file) to determine what kind of file it is. (That is to say an ascii file with only read/write permissions has no "magic number" so it will tell you it is "ascii" or "txt" but the same file with execute permissions it might suggest to you is a shell executable (on the theory that you'd not put execute on simple text files).

What "file" does NOT do is assume your file is an iso (or a tar or a shell script) just because it is named with .iso (or .tar or .sh). Putting those suffixes on files is done by "convention" not by "requirement". It is perfectly valid to call all your iso files with NO extension or with a .billybob extension or any other suffix you'd like to put on them.

If you type "man file" it will give you details on how the "file" command works.

Note that "file" will NOT always tell you exactly what you have but it is a good starting point in trying to verify that you have what you think you do.

Another clue comes from the "ls" command. Doing "ls -l" on the file you have with .iso will show you more details about it including permissions, owner, group AND what it is linked to. For symbolic links running "ls -lL" will show you those details for the file it is linked to instead of the link file.

For example on RHEL systems the /etc/init.d directory where init (startup/shutdown) scripts live is actually a symbolic link:
ls -l /etc/init.d
lrwxrwxrwx. 1 root root 11 Mar 9 2011 /etc/init.d -> rc.d/init.d
The "l" shows the type is a symbolic clink, the rwxrwxrwx shows it is read/write/execute for owner, group and everyone. The the "root root" shows it is owned by root and grouped to root. The "->" shows that it is linked to rd.d/init.d (and since that doesn't start with "/" you know it is relative to /etc so it is linked to /etc/rc.d/init.d).

If you then do ls -lL /etc/init.d you get different output which is a list of files in rc.d/init.d (because it turns out that is a directory rather than just a file). You can add the "-d" flag to ls to make it show the permissions on a directory instead of showing you its contents:
ls -lLd /etc/init.d shows:
drwxr-xr-x. 2 root root 4096 Apr 22 07:55 /etc/init.d
Which is the same as you'd get doing the ls on the linked directory:
ls -lLd /etc/rc.d/init.d
drwxr-xr-x. 2 root root 4096 Apr 22 07:55 /etc/rc.d/init.d
The d at start of both of those show it is a direcotyr. The rwxr-x-r-x shows read/write/execute for owner, but only read/execute for group and everyone else. (For directories the "x" doesn't make them executable but instead allows access to items in the directory.)

pan64 explained above. Use the file command. The details of how this works behind the scenes might be explained by someone but not myself as I have no idea. In a terminal do: touch junk.iso. this creates a file by that name and if you run: find junk.iso you will get:

The reason it shows "empty" is because it is. I then open it in a text editor and type a short line and save it and re-run the command:

file junk.iso and get the following output:

On a file named file HD2.pdf, if I run file HD2.pdf I get:

That would be how you determine the file type. Behind the scenes what it doesn is briefly explained at the site below and if you do an online search I am sure you will find more detailed informaiton:

http://www.linfo.org/file_command.html

Yes, the file command itself tries to analyze the file you want to identify. It has a built in algorithm and a database to recognize different kind of file types - based on the content and not on its extension. It will not be able to detect everything just the ones which are known by that internal database.