| DiskAnalyzer.Fat32Analyzer (version 0.0.1) |
index fat32analyzer.py |
This package implements multiples libraries and tools to parse, analyze
and extract informations from disk on the live system.
~# dd if=/dev/zero of=disk.img bs=1M count=200
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 0.11415 s, 1.8 GB/s
~# fdisk disk.img
Welcome to fdisk (util-linux 2.41.3).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Device does not contain a recognized partition table.
Created a new DOS (MBR) disklabel with disk identifier 0x88d08f9b.
Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-409599, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-409599, default 409599):
Created a new partition 1 of type 'Linux' and of size 199 MiB.
Command (m for help): t
Selected partition 1
Hex code or alias (type L to list all): b
Changed type of partition 'Linux' to 'W95 FAT32'.
Command (m for help): p
Disk fat32.img: 200 MiB, 209715200 bytes, 409600 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x88d08f9b
Device Boot Start End Sectors Size Id Type
fat32.img1 2048 409599 407552 199M b W95 FAT32
Command (m for help): w
The partition table has been altered.
~# sudo losetup -Pf disk.img
~# losetup -a
/dev/loop0: []: (/home/kali/fat32.img)
~# sudo mkfs.fat -F 32 /dev/loop0p1
mkfs.fat 4.2 (2021-01-31)
~# sudo mkdir -p /mnt/fat32
~# sudo mount /dev/loop0p1 /mnt/fat32
~# echo "Hello FAT32" > /mnt/fat32/test.txt
~# mkdir /mnt/fat32/dir1
~# echo "Nested file" > /mnt/fat32/dir1/nested.txt
~# touch "/mnt/fat32/ThisIsALongFileNameToTestLFN.txt"
~# python3 -c 'open("/mnt/fat32/big.txt", "w").write("a"*8000)'
~# dd if=/dev/urandom of=/mnt/fat32/big.bin bs=1M count=20
~# sudo umount /mnt/fat32
~# sudo losetup -d /dev/loop0
https://github.com/procount/fat32images/raw/refs/heads/master/noobs1gb.img.zip
C:\> certutil -urlcache https://github.com/RCH2514/Medium-attachments/raw/refs/heads/main/stick.img
C:\> python -m DiskAnalyzer.MbrRepair stick.img
DiskAnalyzer Copyright (C) 2025, 2026 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
Warning: No main partition found, partitions found: EMPTY EMPTY EMPTY EMPTY
[?] <enter> to search partitions, Ctrl+C to stop...
[!] Found a new FAT32 partition at 6 with 49152 sectors (end: 25168896 B)
End Of File
Last sector 49158
[?] <enter> to write a new unbootable MBR, Ctrl+C to stop...
C:\> python -m DiskAnalyzer.MbrRepair stick.img
DiskAnalyzer Copyright (C) 2025, 2026 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
Warning: No main partition found, partitions found: FAT32 EMPTY EMPTY EMPTY
[?] <enter> to search partitions, Ctrl+C to stop...
C:\> python -m DiskAnalyzer.Fat32Analyzer -v stick.img
[+] MBR Detected
Bootloader
ebfeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffff
Partition 1:
Status : 0x00 (INACTIVE)
Type : 0x0B (FAT32)
Start LBA : 6
Total Sectors: 49152 (24.00 MB)
Boot Signature
55aa
[+] FAT32 Boot Sector Detected
Jump Boot: eb5890
OEM Name: mkfs.fat
Bytes Per Sector: 512
Sectors Per Cluster: 1
Reserved Sector Count: 32
Number of FATs: 2
Root Entry Count: 0
Total Sectors 16: 49152
Media: 248
FAT Size 16: 0
Sector per track: 32
Number of heads: 4
Hidden Sectors: 0
Total Sectors 32: 0
FAT Size 32: 378
Extended Flags: 0
File System version: 0
Root Cluster: 2
FSInfo Sector: 1
Backup Boot Sector: 6
Reserved: 000000000000000000000000
Drive Number: 0x80
Reserved: 0
Boot Signature: 0x29
Volume ID: 0x8caae860
Volume Label: NO NAME
File System Type: FAT32
Boot code:
0e1fbe777cac22c0740b56b40ebb0700cd105eebf032e4cd16cd19ebfe54686973206973206e6f74
206120626f6f7461626c65206469736b2e2020506c6561736520696e73657274206120626f6f7461
626c6520666c6f70707920616e640d0a707265737320616e79206b657920746f2074727920616761
696e202e2e2e200d0a00000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000
BootSectorSignature: aa55
[+] FSInfo Sector
Lead Signature: 0x41615252
Reserved:
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
Struct Signature: 0x61417272
Free Count: 48363
Next Free Cluster: 2
Reserved: 000000000000000000000000
Trail Signature: 0xaa550000
[>] Partition size in sector: 49152
[+] Directory Entry Found
Long name: notes.txt
Name: NOTES.TXT
Attributes: ARCHIVE
NT Reserved: 0
Creation Time: 22:27:22.082
Creation Date: 2025-07-17
Last Access Date: 2025-07-17
Write Time: 22:27:22
Write Date: 2025-07-17
First Cluster: 3
File Size: 76 bytes
File content:
4e6f7465733a0a2d207072616374696365206d79207a6172726f772073687566666c650a2d206c65
61726e20736f6d652066616c736520637574730a2d20706c617920736f6d65207374730a
[+] Directory Entry Found
Long name: random_thoughts.txt
Name: RANDOM~1.TXT
Attributes: ARCHIVE
NT Reserved: 0
Creation Time: 22:27:22.082
Creation Date: 2025-07-17
Last Access Date: 2025-07-17
Write Time: 22:27:22
Write Date: 2025-07-17
First Cluster: 4
File Size: 56 bytes
File content:
6920776f6e6465722077686572652069207075742074686520666c61672e2064696420692070616c
6d20697420736f6d6577686572653f0a
[+] Directory Entry Found
Long name: secret_magic_collection.gz
Deleted file
Partial name: ECRET~1.GZ
Attributes: ARCHIVE
NT Reserved: 0
Creation Time: 22:27:22.083
Creation Date: 2025-07-17
Last Access Date: 2025-07-17
Write Time: 22:27:22
Write Date: 2025-07-17
First Cluster: 5
File Size: 60 bytes
File content:
1f8b0808ca7879680003666c61672e747874002b4e2eca2c28710e71ab368ccf3128338ecf353133
4c8e372f324cce36ade502000ba1b6db1f000000
C:\>
>>> print(bytes.fromhex("4e6f7465733a0a2d207072616374696365206d79207a6172726f772073687566666c650a2d206c6561726e20736f6d652066616c736520637574730a2d20706c617920736f6d65207374730a").decode())
Notes:
- practice my zarrow shuffle
- learn some false cuts
- play some sts
>>> print(bytes.fromhex("6920776f6e6465722077686572652069207075742074686520666c61672e2064696420692070616c6d20697420736f6d6577686572653f0a").decode())
i wonder where i put the flag. did i palm it somewhere?
>>> from gzip import decompress
>>> print(decompress(bytes.fromhex("1f8b0808ca7879680003666c61672e747874002b4e2eca2c28710e71ab368ccf3128338ecf3531334c8e372f324cce36ade502000ba1b6db1f000000")).decode())
scriptCTF{1_l0v3_m461c_7r1ck5}
>>>
| Functions | ||
| ||
| Data | ||
| __all__ = ['get_partition', 'fat32_parse', 'print_fat32_bootsector', 'fat32_enumeration', 'print_directory_entry', 'save_directory_entry_to_csv'] __author_email__ = 'mauricelambert434@gmail.com' __copyright__ = '\nDiskAnalyzer Copyright (C) 2026 Maurice Lambe...ome to redistribute it\nunder certain conditions.\n' __description__ = '\nThis package implements multiples libraries and...tract informations from disk on the live system.\n' __license__ = 'GPL-3.0 License' __maintainer__ = 'Maurice Lambert' __maintainer_email__ = 'mauricelambert434@gmail.com' __url__ = 'https://github.com/mauricelambert/DiskAnalyzer' | ||
| Author | ||
| Maurice Lambert | ||