How to use the command mmls (with examples)

How to use the command mmls (with examples)

The mmls command is a tool provided by The Sleuth Kit (TSK) that allows users to display the partition layout of a volume system. This can be especially helpful when analyzing disk images or examining the layout of different partitions within a storage device.

Use case 1: Display the partition table stored in an image file

Code:

mmls path/to/image_file

Motivation: By running the mmls command on a specified image file, users can obtain information about the partition table stored within that image. This can be useful for forensic investigations or when working with disk images in general.

Explanation:

  • mmls: The main command that is used to invoke the mmls tool.
  • path/to/image_file: The path to the image file for which you want to display the partition table.

Example output:

GUID Partition Table (EFI)
Offset         Size           Description
-------------- -------------- -----------
0               2ef000         Primary GPT Header
2ef000         2             Backup GPT Header
2ef040         2097152        Table of primary partitions
210f040        28672          EFI System Partition
------------------------------------------------------------------------
...

Use case 2: Display the partition table with an additional column for the partition size

Code:

mmls -B -i path/to/image_file

Motivation: The -B option in the mmls command is used to display an additional column representing the size of each partition. This can be helpful for understanding the relative sizes of different partitions within a volume system.

Explanation:

  • -B: A command line option that enables an additional column for displaying the partition size.
  • -i path/to/image_file: The path to the image file for which you want to display the partition table.

Example output:

GUID Partition Table (EFI)
Offset         Size           Description
-------------- -------------- ----------- -----------
0               2ef000         2ef000      Primary GPT Header
2ef000         2             2            Backup GPT Header
2ef040         2097152        2097152     Table of primary partitions
210f040        28672          28672       EFI System Partition
------------------------------------------------------------------------
...

Use case 3: Display the partition table in a split EWF image

Code:

mmls -i ewf image.e01 image.e02

Motivation: The -i option in the mmls command allows users to specify a split EWF image, which is a disk image that has been split into multiple files. This can be useful when working with large disk images that need to be split for practical reasons.

Explanation:

  • -i: A command line option that is used to specify an image type. In this case, it is specified as ewf, indicating an EWF image.
  • ewf image.e01 image.e02: The path to the split EWF image files.

Example output:

GUID Partition Table (EFI)
Offset         Size           Description
-------------- -------------- -----------
0               2ef000         Primary GPT Header
2ef000         2             Backup GPT Header
2ef040         2097152        Table of primary partitions
210f040        28672          EFI System Partition
------------------------------------------------------------------------
...

Use case 4: Display nested partition tables

Code:

mmls -t nested_table_type -o offset path/to/image_file

Motivation: In certain scenarios, a disk image may contain nested partition tables. The mmls command allows users to specify the nested table type and offset to display the partition table within that nested structure.

Explanation:

  • -t nested_table_type: A command line option used to specify the type of the nested partition table.
  • -o offset: A command line option used to specify the offset of the nested partition table.
  • path/to/image_file: The path to the image file for which you want to display the nested partition table.

Example output:

MBR Partition Table
Offset         Size           Description
-------------- -------------- -----------
0              440            MBR Code
------------------------------------------------------------------------
1              63             Extended Table
------------------------------------------------------------------------
5              16980212       HPFS - NTFS                 (C: drive)
------------------------------------------------------------------------
...

Conclusion:

The mmls command is a versatile tool provided by The Sleuth Kit that allows users to display the partition layout of a volume system. Whether it’s analyzing disk images or examining nested partition tables, mmls provides valuable insights into the structure and contents of a storage device.

Tags :

Related Posts

How to use the command pdf-parser (with examples)

How to use the command pdf-parser (with examples)

The pdf-parser command is a tool used to identify fundamental elements of a PDF file without rendering it.

Read More
How to use the command 'ropper' (with examples)

How to use the command 'ropper' (with examples)

The ‘ropper’ command is a tool used for finding ROP (Return Oriented Programming) gadgets in binary files.

Read More
How to use the command jf (with examples)

How to use the command jf (with examples)

The jf command is used to interact with JFrog products like Artifactory, Xray, Distribution, Pipelines, and Mission Control.

Read More