Getting Started
Learn the basic principles of exhuming partitions from a disk image.
The exhume_partitions tool helps you identify and list the partitions within a disk image. This is a crucial step in digital forensics when you need to understand the structure of the disk before diving into filesystem analysis. The tool support MBR and GPT parsing allowing.
🛠️ Prerequisites
Installing Rust
The Exhume Toolkit is built with Rust and requires it for development or compilation.
- Linux and MacOs
- Windows
curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh
Visit https://www.rust-lang.org/tools/install to install rustup
You can also use winget to install rustup using the following command in PowerShell:
winget install --id Rustlang.Rustup
important
Be sure to restart your Terminal (and in some cases your system) for the changes to take affect.
Installing
The following will install Exhume partitions globally.
cargo install exhume_partitions@0.2.2
Contributing
Clone the ehxume_partitions repository and build it.
git clone https://github.com/forensicxlab/exhume_partitions
cd exhume_partitions
Start enhancing the tool.
🚀 Basic Usage
Required Flags:
-b,--body<FILE>: Path to the disk image or body.
Optional Flags:
-l,--log-level<LEVEL>: Logging level (error, warn, info, debug, trace). Default is info.-f,--format<FORMAT>: Format of the image (raw or ewf).-j,--json: Display the partitions in JSON format.-o,--output<OUTPUT_PATH>: Specify the output file to save partition info.
exhume_partitions -b <path_to_image> -f <format> [-j] [-o <output_file>]
📘 Example
exhume_partitions -b disk.E01
This will:
- Open disk.E01 as a EWF format file
- Identify the partitions and display them.
Sample output:
[2025-04-14T09:37:25Z INFO exhume_body] Detected an EWF disk image.
[2025-04-14T09:37:25Z INFO exhume_partitions] Detected an MBR partition scheme.
[2025-04-14T09:37:25Z INFO exhume_partitions] Extended partition discovered.
[2025-04-14T09:37:25Z WARN exhume_partitions] No GPT signature found
+--------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Bootloader | 0x1000: jmp 0x1065 |
| | 0x1002: nop |
| | 0x1003: adc byte ptr [bp - 0x4330], cl |
| | 0x1007: add byte ptr [bx + si + 0xb8], dh |
| | 0x100b: add byte ptr [bp - 0x7128], cl |
| | 0x100f: sar bl, 0xbe |
| | 0x1012: add byte ptr [si - 0x41], bh |
| | 0x1015: add byte ptr [0xb9], al |
| | 0x1019: add dh, bl |
| | 0x101b: movsb byte ptr es:[di], byte ptr [si] |
| | 0x101c: ljmp 0:0x621 |
| | 0x1021: mov si, 0x7be |
| | 0x1024: cmp byte ptr [si], al |
| | 0x1026: jne 0x1033 |
| | 0x1028: add si, 0x10 |
| | 0x102b: cmp si, 0x7fe |
| | 0x102f: jne 0x1024 |
| | 0x1031: jmp 0x1049 |
| | 0x1033: mov ah, 2 |
| | 0x1035: mov al, 1 |
| | 0x1037: mov bx, 0x7c00 |
| | 0x103a: mov dl, 0x80 |
| | 0x103c: mov dh, byte ptr [si + 1] |
| | 0x103f: mov cx, word ptr [si + 2] |
| | 0x1042: int 0x13 |
| | 0x1044: ljmp 0:0x7c00 |
| | 0x1049: jmp 0x1049 |
| | 0x104b: add byte ptr [bx + si], al |
| | 0x104d: add byte ptr [bx + si], al |
| | 0x104f: add byte ptr [bx + si], al |
| | 0x1051: add byte ptr [bx + si], al |
| | 0x1053: add byte ptr [bx + si], al |
| | 0x1055: add byte ptr [bx + si], al |
| | 0x1057: add byte ptr [bx + si], al |
| | 0x1059: add byte ptr [bx + si], al |
| | 0x105b: add byte ptr [bx + di], 0 |
| | 0x105e: add byte ptr [bx + si], al |
| | 0x1060: add byte ptr [bx + si], al |
| | 0x1062: add byte ptr [bx + si], al |
+--------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Partition tables entries | +----------+---------------------+-------------------+---------------------+----------------+------------------+--------------------+-------------------+ |
| | | Bootable | Start address (CHS) | End address (CHS) | Start address (LBA) | Partition type | Type Description | First byte address | Size (in sectors) | |
| | +----------+---------------------+-------------------+---------------------+----------------+------------------+--------------------+-------------------+ |
| | | 128 | (0, 32, 33) | (1023, 254, 63) | 0x800 | 0x83 | "Linux/GNU Hurd" | 0x100000 | 0x9c00000 | |
| | +----------+---------------------+-------------------+---------------------+----------------+------------------+--------------------+-------------------+ |
| | | 0 | (1023, 254, 63) | (1023, 254, 63) | 0x9c00ffe | 0x05 | "Extended" | 0x13801ffc00 | 0x3fe802 | |
| | +----------+---------------------+-------------------+---------------------+----------------+------------------+--------------------+-------------------+ |
| | | 0 | (0, 0, 0) | (0, 0, 0) | 0x0 | 0x00 | "Unused" | 0x0 | 0x0 | |
| | +----------+---------------------+-------------------+---------------------+----------------+------------------+--------------------+-------------------+ |
| | | 0 | (0, 0, 0) | (0, 0, 0) | 0x0 | 0x00 | "Unused" | 0x0 | 0x0 | |
| | +----------+---------------------+-------------------+---------------------+----------------+------------------+--------------------+-------------------+ |
+--------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| MBR Signature | 0xaa55 |
+--------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
+------------------------------+-------------------------------------------------------------------------------------------------------------------------+
| Extented Boot Record Entries | +----------+-----------------+-----------------+-------------+------+--------------+-----------------+----------------+ |
| | | Bootable | Start (CHS) | End (CHS) | Start (LBA) | Type | Description | First Byte Addr | Size (sectors) | |
| | +----------+-----------------+-----------------+-------------+------+--------------+-----------------+----------------+ |
| | | 0x00 | (1023, 254, 63) | (1023, 254, 63) | 0x9C01000 | 0x82 | "Linux Swap" | 0x1380200000 | 0x3FE800 | |
| | +----------+-----------------+-----------------+-------------+------+--------------+-----------------+----------------+ |
+------------------------------+-------------------------------------------------------------------------------------------------------------------------+