1)
dapatkan offset:
mmls ../image/image.raw
Output:
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000002048 0001023999 0001021952 Basic data partition
005: 001 0001024000 0001226751 0000202752 EFI system partition
006: 004 0001226752 0001227263 0000000512 Microsoft shadow copy partition
007: 002 0001227264 0001259519 0000032256 Microsoft reserved partition
008: 003 0001259520 0209713151 0208453632 Basic data partition
009: ------- 0209713152 0209715199 0000002048 Unallocated
2) extract mft to file mft.raw:
icat -o 0001259520 image.raw 0 > mft.raw
dapatkan offset:
mmls ../image/image.raw
Output:
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000002048 0001023999 0001021952 Basic data partition
005: 001 0001024000 0001226751 0000202752 EFI system partition
006: 004 0001226752 0001227263 0000000512 Microsoft shadow copy partition
007: 002 0001227264 0001259519 0000032256 Microsoft reserved partition
008: 003 0001259520 0209713151 0208453632 Basic data partition
009: ------- 0209713152 0209715199 0000002048 Unallocated
2) extract mft to file mft.raw:
icat -o 0001259520 image.raw 0 > mft.raw
No comments:
Post a Comment
Terima kasih