[ale] linux old timers question (late 1990s)
Greg Freemyer
greg.freemyer at gmail.com
Wed Nov 1 18:09:58 EST 2006
All,
I have an old 80 MB disk I need to figure out/review. Appears to be
from the late 1990s.
I've used dd to make a copy of it.
It does not seem to have a traditional partition table and running
file against it tells me:
dd-image: Linux/x86 Kernel, Setup Version 0x201, zImage, RO-rootFS,
root_dev 0xFF, Normal VGA
Which is very close to what I get if I run file against a current
kernel in /boot.
So it looks like the the first portion of this 80 MB disk is a linux
kernel. Running strings against it I see:
>>
4rz6
C9m{
8;R~
gP~IA~q
olh~
t0DO
~c-f9
4*{&j
ca)m
]ZF*
sY>L
E]xb
RQSP
Loading
$HdrS
ZZuC
PQ0
No setup signature found ...
Wrong loader, giving up...
2.0.29 (source at alyshia) #51 Mon Apr 7 02:49:06 PDT 1997
INT15 refuses to access high mem, giving up...
<<
Which makes me think that this is a 2.0.29 kernel from 1997. (I don't
know if those dates are consistent or not.)
Can anyone tell me how I can find a filesystem on this image? ie.
What is the offset to the start of any and all filesystems.
I assume if I knew the offset I could do a mount -o loop to mount it
and take a look around at the filesystem.
Thanks
Greg
--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
More information about the Ale
mailing list