Skip to main content

Getting Started

Learn the basic principles of exhuming partitions from a disk image.

The exhume_partitions tool helps you identify and list the partitions within a disk image. This is a crucial step in digital forensics when you need to understand the structure of the disk before diving into filesystem analysis. The tool support MBR and GPT parsing allowing.

🛠️ Prerequisites

Installing Rust

The Exhume Toolkit is built with Rust and requires it for development or compilation.

curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh

Installing

The following will install Exhume partitions globally.

cargo install exhume_partitions@0.2.2

Contributing

Clone the ehxume_partitions repository and build it.

git clone https://github.com/forensicxlab/exhume_partitions
cd exhume_partitions

Start enhancing the tool.

🚀 Basic Usage

Required Flags:

  • -b, --body <FILE>: Path to the disk image or body.

Optional Flags:

  • -l, --log-level <LEVEL>: Logging level (error, warn, info, debug, trace). Default is info.
  • -f, --format <FORMAT>: Format of the image (raw or ewf).
  • -j, --json: Display the partitions in JSON format.
  • -o, --output <OUTPUT_PATH>: Specify the output file to save partition info.
exhume_partitions -b <path_to_image> -f <format> [-j] [-o <output_file>]

📘 Example

exhume_partitions -b disk.E01

This will:

  • Open disk.E01 as a EWF format file
  • Identify the partitions and display them.

Sample output:

[2025-04-14T09:37:25Z INFO  exhume_body] Detected an EWF disk image.
[2025-04-14T09:37:25Z INFO exhume_partitions] Detected an MBR partition scheme.
[2025-04-14T09:37:25Z INFO exhume_partitions] Extended partition discovered.
[2025-04-14T09:37:25Z WARN exhume_partitions] No GPT signature found
+--------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Bootloader | 0x1000: jmp 0x1065 |
| | 0x1002: nop |
| | 0x1003: adc byte ptr [bp - 0x4330], cl |
| | 0x1007: add byte ptr [bx + si + 0xb8], dh |
| | 0x100b: add byte ptr [bp - 0x7128], cl |
| | 0x100f: sar bl, 0xbe |
| | 0x1012: add byte ptr [si - 0x41], bh |
| | 0x1015: add byte ptr [0xb9], al |
| | 0x1019: add dh, bl |
| | 0x101b: movsb byte ptr es:[di], byte ptr [si] |
| | 0x101c: ljmp 0:0x621 |
| | 0x1021: mov si, 0x7be |
| | 0x1024: cmp byte ptr [si], al |
| | 0x1026: jne 0x1033 |
| | 0x1028: add si, 0x10 |
| | 0x102b: cmp si, 0x7fe |
| | 0x102f: jne 0x1024 |
| | 0x1031: jmp 0x1049 |
| | 0x1033: mov ah, 2 |
| | 0x1035: mov al, 1 |
| | 0x1037: mov bx, 0x7c00 |
| | 0x103a: mov dl, 0x80 |
| | 0x103c: mov dh, byte ptr [si + 1] |
| | 0x103f: mov cx, word ptr [si + 2] |
| | 0x1042: int 0x13 |
| | 0x1044: ljmp 0:0x7c00 |
| | 0x1049: jmp 0x1049 |
| | 0x104b: add byte ptr [bx + si], al |
| | 0x104d: add byte ptr [bx + si], al |
| | 0x104f: add byte ptr [bx + si], al |
| | 0x1051: add byte ptr [bx + si], al |
| | 0x1053: add byte ptr [bx + si], al |
| | 0x1055: add byte ptr [bx + si], al |
| | 0x1057: add byte ptr [bx + si], al |
| | 0x1059: add byte ptr [bx + si], al |
| | 0x105b: add byte ptr [bx + di], 0 |
| | 0x105e: add byte ptr [bx + si], al |
| | 0x1060: add byte ptr [bx + si], al |
| | 0x1062: add byte ptr [bx + si], al |
+--------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Partition tables entries | +----------+---------------------+-------------------+---------------------+----------------+------------------+--------------------+-------------------+ |
| | | Bootable | Start address (CHS) | End address (CHS) | Start address (LBA) | Partition type | Type Description | First byte address | Size (in sectors) | |
| | +----------+---------------------+-------------------+---------------------+----------------+------------------+--------------------+-------------------+ |
| | | 128 | (0, 32, 33) | (1023, 254, 63) | 0x800 | 0x83 | "Linux/GNU Hurd" | 0x100000 | 0x9c00000 | |
| | +----------+---------------------+-------------------+---------------------+----------------+------------------+--------------------+-------------------+ |
| | | 0 | (1023, 254, 63) | (1023, 254, 63) | 0x9c00ffe | 0x05 | "Extended" | 0x13801ffc00 | 0x3fe802 | |
| | +----------+---------------------+-------------------+---------------------+----------------+------------------+--------------------+-------------------+ |
| | | 0 | (0, 0, 0) | (0, 0, 0) | 0x0 | 0x00 | "Unused" | 0x0 | 0x0 | |
| | +----------+---------------------+-------------------+---------------------+----------------+------------------+--------------------+-------------------+ |
| | | 0 | (0, 0, 0) | (0, 0, 0) | 0x0 | 0x00 | "Unused" | 0x0 | 0x0 | |
| | +----------+---------------------+-------------------+---------------------+----------------+------------------+--------------------+-------------------+ |
+--------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| MBR Signature | 0xaa55 |
+--------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+

+------------------------------+-------------------------------------------------------------------------------------------------------------------------+
| Extented Boot Record Entries | +----------+-----------------+-----------------+-------------+------+--------------+-----------------+----------------+ |
| | | Bootable | Start (CHS) | End (CHS) | Start (LBA) | Type | Description | First Byte Addr | Size (sectors) | |
| | +----------+-----------------+-----------------+-------------+------+--------------+-----------------+----------------+ |
| | | 0x00 | (1023, 254, 63) | (1023, 254, 63) | 0x9C01000 | 0x82 | "Linux Swap" | 0x1380200000 | 0x3FE800 | |
| | +----------+-----------------+-----------------+-------------+------+--------------+-----------------+----------------+ |
+------------------------------+-------------------------------------------------------------------------------------------------------------------------+