mmls

Display the partition table stored in an image file

$ mmls [path/to/image_file]

$ mmls -B -i [path/to/image_file]

$ mmls -i ewf [image.e01] [image.e02]

$ mmls -t [nested_table_type] -o [offset] [path/to/image_file]

mmls [-i imgtype] [-o offset] [-t type] [-V] image [images...]

-i imgtype
    Specify the image type. Examples include 'raw' (for raw disk images), 'ewf' (for EnCase EWF images), or 'aff' (for Advanced Forensic Format images).

-o offset
    Specify the byte offset from the start of the image where the volume system (partition table) begins. This is useful for images with leading data or embedded partition tables within larger files.

-t type
    Specify the partition table type to parse. Supported types include 'dos' (for MBR), 'gpt' (for GUID Partition Table), 'mac' (for Apple Partition Map), 'bsd' (for BSD disk labels), and 'sun' (for Sun VTOC). If not specified, mmls attempts to auto-detect the type.

-V
    Display the version of The Sleuth Kit that mmls is part of and exit.

mmls is a command-line utility from The Sleuth Kit (TSK), a powerful suite of digital forensic tools. Its primary function is to display the partition layout of a disk image or a physical storage device. It parses various partition table formats, including DOS/MBR, GUID Partition Table (GPT), Apple Partition Map, BSD disk labels, and Sun VTOC. By providing a clear listing of partitions, their start and end sectors, and their reported size, mmls helps forensic investigators and system administrators understand the structural organization of a storage medium before deeper file system analysis. It's a foundational tool for initial disk image examination, capable of revealing visible, hidden, or deleted partitions that might contain crucial evidence.

mmls typically requires root privileges when analyzing raw physical devices (e.g., /dev/sda). It is a read-only tool, meaning it will not modify the disk image or device being analyzed. While it supports many common partition table formats, it may not perfectly interpret highly corrupted or custom partition structures. For best results, analyze the entire disk image, not just a partition image, to ensure the primary partition table is included.

The output of mmls typically presents partition details in columns such as 'Offset' (the starting sector of the partition relative to the image or device beginning), 'Length' (the total number of sectors occupied by the partition), and 'Description' (a human-readable label identifying the partition's intended use or file system type, e.g., 'Linux Swap', 'NTFS', 'Unallocated'). These details are critical for understanding the layout and for subsequent forensic analysis to identify and mount specific file systems.

mmls is a core component of The Sleuth Kit (TSK), a collection of open-source digital forensics tools. TSK was originally developed by Brian Carrier in the late 1990s as a replacement for older forensic tools, aiming to provide a robust and extensible framework for analyzing various file systems and disk image formats. mmls specifically addresses the need for reliable partition table analysis, which is a fundamental first step in any digital forensic examination. Its continuous development ensures compatibility with new partition schemes and image formats, making it a staple in the cybersecurity and law enforcement communities.

fdisk(8), parted(8), tskls(1), img_cat(1), fsstat(1)