Mmls

From SleuthKitWiki
Revision as of 19:45, 11 September 2008 by Carrier (Talk | contribs)

Jump to: navigation, search

Back to Help Documents


mmls displays the contents of a volume system (media management). In general, this is used to list the partition table contents so that you can determine where each partition starts. The output identifies the type of partition and its length, which makes it easy to use 'dd' to extract the partitions. The output is sorted based on the starting sector so it is easy to identify gaps in the layout.

Output Example

DOS Partition

Output of running 'mmls' on a DOS partition

% mmls -t dos disk.dd
DOS Partition Table
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000001   0000000062   0000000062   Unallocated
02:  00:00   0000000063   0002056319   0002056257   Win95 FAT32 (0x0B)
03:  00:01   0002056320   0008209214   0006152895   OpenBSD (0xA6)
04:  00:02   0008209215   0019999727   0011790513   FreeBSD (0xA5)

BSD Disk Label

Output of running 'mmls' on an OpenBSD disk label, which is inside of a DOS partition (as shown in the DOS partition example).

% mmls -t bsd -o 2056321 disk.dd
BSD Disk Label
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  02      0000000000   0019999727   0019999728   Unused (0x00)
01:  08      0000000063   0002056319   0002056257   MSDOS (0x08)
02:  00      0002056320   0002260943   0000204624   4.2BSD (0x07)
03:  01      0002260944   0002875823   0000614880   Swap (0x01)
04:  03      0002875824   0003080447   0000204624   4.2BSD (0x07)
05:  04      0003080448   0003233663   0000153216   4.2BSD (0x07)
06:  07      0003233664   0004257791   0001024128   4.2BSD (0x07)
07:  06      0004257792   0008209214   0003951423   4.2BSD (0x07)
08:  09      0008209215   0019984859   0011775645   Unknown (0x0A)

Mac Partitions

Output from running 'mmls' on a Mac system:

# mmls -t mac mac-disk.dd
MAC Partition Map
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Unallocated
01:  00      0000000001   0000000063   0000000063   Apple_partition_map
02:  -----   0000000001   0000000010   0000000010   Table
03:  -----   0000000011   0000000063   0000000053   Unallocated
04:  01      0000000064   0000000117   0000000054   Apple_Driver43
05:  02      0000000118   0000000191   0000000074   Apple_Driver43
06:  03      0000000192   0000000245   0000000054   Apple_Driver_ATA
07:  04      0000000246   0000000319   0000000074   Apple_Driver_ATA
08:  05      0000000320   0000000519   0000000200   Apple_FWDriver
09:  06      0000000520   0000001031   0000000512   Apple_Driver_IOKit
10:  07      0000001032   0000001543   0000000512   Apple_Patches
11:  08      0000001544   0039070059   0039068516   Apple_HFS
12:  09      0039070060   0039070079   0000000020   Apple_Free

Sun VTOC

Output of running 'mmls' on a Sun sparc disk:

# mmls -t sun solaris.disk.dd 
Sun VTOC
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  01      0000000000   0001048949   0001048950   swap (0x03)
01:  02      0000000000   0010257029   0010257030   backup (0x05)
02:  07      0001050840   0001460024   0000409185   /home/ (0x08)
03:  05      0001460025   0001971269   0000511245   /var/ (0x07)
04:  00      0001971270   0004113584   0002142315   / (0x02)
05:  06      0004113585   0010257029   0006143445   /usr/ (0x04)