Difference between revisions of "Mmls"

From SleuthKitWiki
Jump to: navigation, search
m
m
Line 1: Line 1:
 +
Back to [[Help Documents]]
 
==mmls==
 
==mmls==
 
Version 2.09
 
Version 2.09

Revision as of 16:15, 17 November 2007

Back to Help Documents

mmls

Version 2.09

Purpose

Display the layout of media management systems (partition tables) mmls displays the layout of the media management systems, which include partition tables and disk labels.
Namely, it will show which sectors are not being used so that those can be searched for hidden data. It also gives the length value so that it can be plugged into ’dd’ more easily for extracting the partitions. It also will show BSD disk labels for Free, Open, and NetBSD and will dis-play the output in sectors and not cylinders. Lastly, it works on non-Linux systems.

Usage

mmls [-t mmtype ] [-o offset ] [ -i imgtype ] [-brvV] image [images]

Options

Switch Purpose
-t mmtype Specify the media management type. Use the -? option for supported types.
-o offset Specify the offset into the image where the volume containing the partition system starts. The relative offset of the partition system will be added to this value.
-i imgtype Identify the type of image file, such as raw or split. Raw is the default.
-b Include a column with the partition sizes in bytes
-r Recurse into DOS partitions and look for other partition tables. This setup frequently occurs when Unix is installed on x86 systems.
-v Verbose output of debugging statements to stderr
-V Display version
image [images] One (or more if split) disk images whose format is given with ’-i’.

Example

To list the partition table of a Windows system using autodetect:

# mmls disk_image.dd

To list the contents of a BSD system that starts in sector 12345 of a split image:

# mmls -t bsd -o 12345 -i split disk-1.dd disk-2.dd

History

mmls first appeared in The Sleuth Kit v1.63.

Author

Brian Carrier <carrier@sleuthkit.org>