±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36317
New Yesterday: 0 Visitors: 137

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Weird CD ...

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

athulin
Senior Member
 

Weird CD ...

Post Posted: Jul 23, 15 21:30

Find a copy of the Kali 1.1.0 amd CD (Looks like 1.0.9 also works.)

Look at it with your favourite forensic file system viewer.

What do you see?

The weirdness is that the ISO image has an MBR, containing a partition table with two entries, but also the standard ISO 9660 volume descriptors.

Some tools show one but not the other, some show both.

Could be confusing ...  
 
  

thefuf
Senior Member
 

Re: Weird CD ...

Post Posted: Jul 23, 15 22:08

That's a hybrid ISO 9660 image (http://www.syslinux.org/wiki/index.php/Isohybrid).  
 
  

jaclaz
Senior Member
 

Re: Weird CD ...

Post Posted: Jul 24, 15 00:23

@athulin

Yep Smile , nothing particularly "weird", as a matter of fact these isohybrid images are pretty much common in Linux "live" distributions as the same image can be burned/imaged indifferently on CD/DVD or USB stick, being bootable on both.
The recent addition of UEFI firmware have added a layer of complexity to them, as a FAT partition is needed for UEFI booting, but the generic idea of having a same image that can be deployed to both media is the same.

@thefuf
JFYI, besides the "canonical" you linked to, there are other "mixed mode" CD/DVD's, some of which may actually appear "weird", a good example are some Acronis .iso's (though nto strictly speaking isohybrid, as they have no MBR), recently our fellow member Cybergonzo (Author of Isobuster) introduced a few change to the Isobuster tool to allow inspecting parts of them:
www.msfn.org/board/top...to-images/

Still FYI, there is also an approach that can be considered the "reverse" of isohybrid, that is to create in the MBR an entry for the .iso as if it was a partition "Iso fake partition":
reboot.pro/topic/9916-...ohybrided/
Skip to here:
reboot.pro/topic/9916-...d/?p=88531
(the thread includes the "weird" "isohybrided grub4dos" and the "isoless boot CD")

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 1