Any tool under linux to parsing BPB/Bs/FAT table?

Any tool under linux to parsing BPB/Bs/FAT table?

[loody]

Dear all:
I recently trace FS/fat and I want to know is there any utility under
linux that can help us to easily parse BPB/BS or FAT tables?

appreciate your help,
miloody

Any tool under linux to parsing BPB/Bs/FAT table?

[Beraldo Leal]

On Mon, Dec 20, 2010 at 09:45:47PM +0800, loody wrote:
> Dear all:
> I recently trace FS/fat and I want to know is there any utility under
> linux that can help us to easily parse BPB/BS or FAT tables?

http://gitorious.org/unix-stuff/fat-util ?

-- 
Beraldo Costa Leal
FLOSS Competence Center - CCSL
University of S?o Paulo - USP
http://ccsl.ime.usp.br/
0xE98690EB - http://pgp.mit.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20101220/73799603/attachment-0001.bin 

Any tool under linux to parsing BPB/Bs/FAT table?

[loody]

Dear all:
I recently trace FS/fat and I want to know is there any utility under
linux that can help us to easily parse BPB/BS or FAT tables?

appreciate your help,
miloody

Any tool under linux to parsing BPB/Bs/FAT table?

[Greg Freemyer]

On Mon, Dec 20, 2010 at 2:45 AM, loody <miloody@gmail.com> wrote:
> Dear all:
> I recently trace FS/fat and I want to know is there any utility under
> linux that can help us to easily parse BPB/BS or FAT tables?
>
> appreciate your help,
> miloody

TSK3 apparently does some FAT analysis/parsing.

See this extracted from
http://www.sleuthkit.org/sleuthkit/docs/api-docs/files.html

===
tsk3/fs/fatfs.c	Contains the internal TSK FAT file system code to
handle basic file system processing for opening file system,
processing sectors, and directory entries
tsk3/fs/fatfs_dent.c	Contains the internal TSK FAT file name processing code
tsk3/fs/fatfs_meta.c	Contains the internal TSK FAT file system code to
handle metadata structures
===

TSK3 is command line I believe.  (I've not used it.)

TSK3 is included in Sleuthkit, which is a pretty basic gui I believe
plus some wrappers.

Both TSK3 and Sleuthkit are in the more modern GUI: PTK.
http://ptk.dflabs.com/

All of the above is opensource I believe.  (I normally use commercial
software for filesystem analysis, so I have not used any of the above.
 The only commercial linux filesystem anal. tool that I know of is
"smart".  http://www.asrdata.com/forensic-software/smart-for-linux/  I
haven't tried it in years, so I can't say how good/bad it is
currently.)

Greg

Any tool under linux to parsing BPB/Bs/FAT table?

[loody]

hi beraldo:

2010/12/20 Beraldo Leal <beraldo@beraldoleal.com>:
> On Mon, Dec 20, 2010 at 09:45:47PM +0800, loody wrote:
>> Dear all:
>> I recently trace FS/fat and I want to know is there any utility under
>> linux that can help us to easily parse BPB/BS or FAT tables?
>
> http://gitorious.org/unix-stuff/fat-util ?
>
I download the tool you mentioned but I have some questions about the usage.
I try to list out the dir content on my usb flash disk, which is fat
file system.
But I got the below messages:

# mount
/dev/sdc1 on /media/disk type vfat (rw)
# ls /media/disk
ifrename  iwconfig  iwevent  iwgetid  iwlist  iwpriv  iwspy  strace
strace.output  strace.output.tar.bz2
# ./fat-util list strace.output /dev/sdc1
strace.output not found.
#

did I use the wrong cmds or the file system type the utility not support?
appreciate your help,
miloody

Any tool under linux to parsing BPB/Bs/FAT table?

[loody]

hi :

2011/3/3 Beraldo Leal <beraldo@beraldoleal.com>:
> On Thu, Mar 03, 2011 at 04:36:50PM +0800, loody wrote:
>> hi beraldo:
>>
>> 2010/12/20 Beraldo Leal <beraldo@beraldoleal.com>:
>> > On Mon, Dec 20, 2010 at 09:45:47PM +0800, loody wrote:
>> >> Dear all:
>> >> I recently trace FS/fat and I want to know is there any utility under
>> >> linux that can help us to easily parse BPB/BS or FAT tables?
>> >
>> > http://gitorious.org/unix-stuff/fat-util ?
>> >
>> I download the tool you mentioned but I have some questions about the usage.
>> I try to list out the dir content on my usb flash disk, which is fat
>> file system.
>> But I got the below messages:
>>
>> # mount
>> /dev/sdc1 on /media/disk type vfat (rw)
>> # ls /media/disk
>> ifrename ?iwconfig ?iwevent ?iwgetid ?iwlist ?iwpriv ?iwspy ?strace
>> strace.output ?strace.output.tar.bz2
>> # ./fat-util list strace.output /dev/sdc1
>> strace.output not found.
> Try: ./fat-util list / /dev/sdc1
>
> May be it show with upper case.
>
I tried the cmds you suggested as below:
# ./fat-util list / /dev/sdc1
0 file(s), 0 dir(s)
#

But the disk did have dirs and files
# mount
/dev/sdc1 on /media/disk type vfat (rw)
# ls /media/disk
ifrename  iwconfig  iwevent  iwgetid  iwlist  iwpriv  iwspy  strace
strace.output  strace.output.tar.bz2
#

thanks for your help,
miloody

Any tool under linux to parsing BPB/Bs/FAT table?

[loody]

hi:
2011/3/4 Beraldo Leal <beraldo@beraldoleal.com>:
> On Fri, Mar 04, 2011 at 10:28:58AM +0800, loody wrote:
>> hi :
>>
>> But the disk did have dirs and files
>> # mount
>> /dev/sdc1 on /media/disk type vfat (rw)
>> # ls /media/disk
>> ifrename ?iwconfig ?iwevent ?iwgetid ?iwlist ?iwpriv ?iwspy ?strace
>> strace.output ?strace.output.tar.bz2
>> #
> Please, print the ./fat-util info /dev/sdc1 output
here it is :

# ./fat-util info /dev/sdc1
JMP opcodes: EB 58 90
OEM Name:  mkdosfs
Bytes per sector: 512
Sectors per cluster: 8
# reserved sectors: 32
# FATs on volume: 2
# root directory entries: 0
Sectors in volume: 0
Media descriptor type: 248
Sectors per FAT: 0
Sectors per Track: 62
# heads: 63
# hidden sectors: 0
Huge sectors in volume: 3941092
FAT Type: 32
Drive number: 0
Signature: 29
Volume ID: -1598503492
Volume Label:
FAT Type: FAT32
Root Cluster: 2
#

appreciate your help,
miloody

Any tool under linux to parsing BPB/Bs/FAT table?

[loody]

hi Beraldo:
> On Fri, Mar 04, 2011 at 08:09:17PM +0800, loody wrote:
>> hi:
>> # ./fat-util info /dev/sdc1
>> JMP opcodes: EB 58 90
>> OEM Name: ?mkdosfs
>> Bytes per sector: 512
>> Sectors per cluster: 8
>> # reserved sectors: 32
>> # FATs on volume: 2
>> # root directory entries: 0
>> Sectors in volume: 0
>> Media descriptor type: 248
>> Sectors per FAT: 0
>> Sectors per Track: 62
>> # heads: 63
>> # hidden sectors: 0
>> Huge sectors in volume: 3941092
>> FAT Type: 32
>> Drive number: 0
>> Signature: 29
>> Volume ID: -1598503492
>> Volume Label:
>> FAT Type: FAT32
>> Root Cluster: 2
>> #
>
> Hi loody, I think this is a bug.
>
> I never try this tool with a real partition, just with img files:
>
> ?$ dd if=/dev/zero of=/tmp/img2 bs=521 count=100000
> ?$ mkdosfs /tmp/img2
> ?$ mount -o loop /tmp/img2 /media/fat
> ?$ mkdir /media/fat/teste2
> ?$ > /media/fat/teste
> ?$ cp /etc/passwd /media/fat/
> ?$ umount /media/fat
> ?$ ./fat-util list / /tmp/img2
> ? ?2 file(s), 1 dir(s)
> ? ?-----a ? ? ? ?0 2011 Mar 04 TESTE
> ? ?----d- ? ? ? ?0 2011 Mar 04 TESTE2
> ? ?-----a ? ? 2869 2011 Mar 04 PASSWD
>
> Maybe the tool is not ready for real partitions! Sorry...
Actually I think you did a great job, at least you provide a tool for
newbies like me to have a chance to learn file system.


What is the difference between real partition and image?
for kernel, they are nothing but a place to write file systems, right?
Appreciate your help,
miloody
it is fine.

what is the diff