I hope I post in the right place for my first question.
I’m a forensic IT and I’m currently working on a car multimedia embedded system. Unfortunatly for me, the QNX file systems aren’t recognized by my usual forensic software. So, here is the method I use for extract the data :
First, I recovered a QNX Neutrino virtual machine from QNX’s web site;
I extract every partition in raw foramt and convert us in vmdk;
In my QNX VM, I mount individually in read-only all the vmdk;
After mounting the local network, I copying the datas of all partition.
It seemed that all data are extracted, but after some deep research, I understood that some datas are missing in my extracted partitions.
I found, particularly for two partitions, that there is three sub partitions in one, and two in the other.
My problem is that fdisk refused to mount all this sub partitions. I tried to separate the sub partitions in new files but something is missing.
So, I’m turning to the community for help.
If someone can indicate me where I can find the method to understand how I can interpret the QNX file system or mount the sub partitions, i will be very glad and thankful.
To my knowledge there is no such a thing as a sub partition in a QNX partition.
It is possible that you are looking at a disk image that is mounted in loopback mode.
I see what you say. Unfortunately, I tried to mount my partition specifying option loop in mount command (even in ubuntu), but it didn’t work.
To be precise in my purpose, I did a forensic image of a 4 GB SD memory card in e01 format, and when I mounted my image on my forensic analyzing software, I have seven partitions, by the way
recognized as such by my software. My concerned “partition” is the first of them.
I don’t know very well the functioning of QNX6 file system, but is that it could be different version of the partition ?
I have also tried to split my raw partition in three raw partitions and tried to mount them, but again, nothing worked.
It’s still not clear exactly what you are seeing and what you are trying to accomplish.
It sounds like you took an image of the 4 Gig SD card, looked at it with your forensic S/W and you see 7 partitions. You then extracted each partition into a vmdk file. So does this mean you have 7 vmdk files or less?
How many vmdk files are successfully mounted in your VMWare QNX machine?
Most importantly what exactly are you trying to accomplish?
It’s VERY possible (likely even) that some partitions are non-QNX file system (what does FDISK report for the partition types) as a custom 3rd party protected filesystem driver could have been developed to read/write a raw partition where important information is hidden/stored that only the car company can retain.
So, you are right, I maked a forensic image of a SD Card in which I have seven partitions. This seven partitions has been converted separately in vmdk files.
VMWare accept maximum four vmdk at once. So, knowing that the QNW VM represent one vmdk, I had to make three different launch of my VM for extract the content of the seven partitions.
So, the problem concern one of the vmdk, the first. After an in-depth analysis, I have found that there had more files on this first partition than those I have seen after mounting it in the VM.
I have gived a minutious look into the raw partition, and I saw two more boot sector in this, but nothing visible under my VM and Fdisk.
I don’t know if I was more specific, on the other hand, don’t hesitate to tell to me.
For there to be 2 more boot sectors / hidden files in the first vmdk it would mean that the size of the vmdk != size of partition reported by fdisk. Is that true?
Assuming that is true, it’s possible that the boot sector area is modified at run time by a program (ie Grub) to activate/hide the 2 hidden partitions. That seems like a lot of work to me to just hide some files (vs simply encrypting them) unless there is an actual O/S of some other kind besides QNX in there. If that’s what’s really happening you are pretty much out of luck ever deciphering it unless a program like Grub recognizes it.
You still haven’t said why you want /need the individual files vs just doing an image backup of the CF card in case something goes wrong with the original. Are you trying to modify /change something? Maybe what you are looking for is just in the QNX files you can already access.
At this time, I’m no longer in my office, but as soon as I return, I will look at this element, I don’t thought about it before.
Because it’s installed in a embedded car system, I even think it’s so complicated. I rather thought that this two partitions are older versions of the working partition.
According to the standards of my work, I never have to work on the original SD Card. Furthermore, I work on Windows because the most forensic softwares works only on it, and Windows don’t understand natively the QNX’s filesystems.
The objective of my work is to examine and find elements about the system’s functioning, specially log files that can give specific evidences to the investigators, so this is why I try to find every files of this kind, and the first partition seem to be full of it. Without remounting all the datas of every partition, it’s difficult to put a specific data in the correct context.
Let me know what you find in regards to checking the size of the vmdk vs the size reported by fdisk.
If they are not the same size you may want to consider mounting the original CF in a Linux machine. QNX’s Fdisk program doesn’t handle logical partitions but Linux’s does and may be able to show you the extra partition to validate your theory that it exists.