Most DOS partition tools will not allow the user to create a third entry in an extended partition. A test image was created by modifying the partition table by hand with a hex editor and the system was booted. Both Windows and Linux read the third entry in the extended partition table and allowed the user to mount the partition. This test was to verify that forensic tools also allowed the investigator to view the partition in the third entry.
This test image is a 'raw' disk image (i.e. 'dd'). The disk is 150MB and is compressed to 160KB. This image is released under the GPL, so anyone can use it.
|Primary Table #1|
|00||0000000063||0000052415||0000052353||DOS FAT16 (0x04)|
|01||0000052416||0000104831||0000052416||DOS FAT16 (0x04)|
|02||0000104832||0000157247||0000052416||DOS FAT16 (0x04)|
|03||0000157248||0000312479||0000155232||DOS Extended (0x05)|
|Extended Table #1|
|00||0000157311||0000209663||0000052353||DOS FAT16 (0x04)|
|01||0000209727||0000262079||0000052353||DOS FAT16 (0x04)|
|02||0000262080||0000312479||0000050400||DOS Extended (0x05)|
|Extended Table #2|
|00||0000262143||0000312479||0000050337||DOS FAT16 (0x06)|
Neither Purdue University or CERIAS sponsor this work.
These tests are not a complete test suite. These were the first ones that I thought of and no formal theory was put into their design.
Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).
|Brian Carrier [carrier <at> digital-evidence <dot> org]||Last Updated: Aug 25, 2003|