Disk Forensics
Analyze drives. Find hidden partitions. Recover evidence.
CLASSIFIED SCENARIO
A double agent's laptop has been seized at the border. Intelligence suggests hidden partitions contain evidence of espionage activities. Your mission: analyze the disk structure, identify all partitions (visible and hidden), and document findings for the prosecution team.
Why Disk Forensics Matters
Storage devices reveal the truth that users try to hide. Understanding disk structure is fundamental to:
- Evidence recovery - Finding deleted files and hidden partitions
- Capacity planning - Understanding available space for operations
- Attack surface mapping - Identifying mounted filesystems and access points
- Persistence detection - Finding hidden volumes used by malware
What Adversaries Hide
- Hidden partitions - Unallocated space, encrypted volumes
- Alternate data streams - NTFS hidden streams
- Slack space - Data in unused portions of clusters
- Bad sector claims - False bad sectors hiding data
Core Disk Commands
df - Disk Free
Show mounted filesystem usage. Quick overview of what's accessible.
du - Disk Usage
Calculate directory sizes. Find where data accumulates.
mount - Show Mounts
Display all mounted filesystems and their mount points.
lsblk - List Blocks
Show all block devices and their hierarchy. Reveals hidden partitions.
fdisk -l - Partition Table
Read partition table directly. Shows ALL partitions including unmounted.
Command Deep Dive
lsblk - Block Device Tree
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 500G 0 disk
├─sda1 8:1 0 100M 0 part /boot/efi
├─sda2 8:2 0 450G 0 part /
└─sda3 8:3 0 50G 0 part [UNMOUNTED - HIDDEN?]
sdb 8:16 0 1T 0 disk
└─sdb1 8:17 0 1T 0 part /data
[INTEL] sda3 is not mounted - potential hidden partition!
fdisk -l - Partition Details
$ sudo fdisk -l /dev/sda
Disk /dev/sda: 500 GiB, 536870912000 bytes
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 206847 204800 100M EF EFI System
/dev/sda2 206848 944482303 944275456 450G 83 Linux
/dev/sda3 944482304 1048575999 104093696 50G 83 Linux
[DISCOVERY] Partition sda3 (50GB) exists but not in mount list!
[ACTION] Mount and examine: sudo mount /dev/sda3 /mnt/evidence
df vs du - Usage Analysis
$ df -h /data
Filesystem Size Used Avail Use% Mounted on
/dev/sdb1 1.0T 750G 250G 75% /data
$ du -sh /data/*
450G /data/projects
200G /data/backups
50G /data/documents
50G /data/.hidden [HIDDEN DIRECTORY!]
[DISCREPANCY] du shows 750G but only 700G visible!
[INTEL] 50GB in hidden .hidden directory
Quick Reference
| Command | Purpose | Key Flags |
|---|---|---|
df -h | Filesystem space usage | -h (human), -T (type) |
du -sh | Directory size | -s (summary), -h (human) |
mount | Show mounted filesystems | No flags needed |
lsblk | List block devices | -f (filesystem info) |
fdisk -l | Partition table | Requires sudo |
blkid | Block device attributes | Shows UUID, type |
Forensic Workflow
# === DISK FORENSICS CHECKLIST ===
$ lsblk # 1. Map all block devices
$ sudo fdisk -l # 2. Read partition tables
$ mount | grep -v tmpfs # 3. Check what's mounted
$ df -hT # 4. Filesystem usage + types
$ sudo blkid # 5. Get UUIDs and fs types
# Look for: unmounted partitions, size discrepancies, hidden directories
Ready to Analyze Seized Media?
Test your forensics skills, then examine the double agent's laptop.