Mounting partitions from a full-drive image.
Matthew Carpenter
mcarpenter at intelguardians.com
Fri Dec 21 11:23:39 PST 2007
Want to mount a partition from a full-drive forensic image? Certain types of
analysis benefits greatly from this.
Assume we want the first partition, which is NTFS...
First we see where the partition lives on the drive....
$ sudo sfdisk -d drive.img
# partition table of drive.img
unit: sectors
drive.img1 : start= 63, size=1757784042, Id=42
drive.img2 : start= 0, size= 0, Id= 0
drive.img3 : start= 0, size= 0, Id= 0
drive.img4 : start= 0, size= 0, Id= 0
Next, we determine how many bytes in the "start" is...
63 sectors * 512 bytes/sector = 32256
Now, we mount the drive using the loopback device *and an offset*!!
$ sudo mount -o ro,noatime,loop,offset=32256 -t ntfs drive.img
mntpoint/
viola! Now feel free to scan the drive using Antivirus, move through the
filesystem, etc...
For more information (including a kernel-patch for enhanced access to
loop-mounted images and using losetup):
http://edseek.com/~jasonb/articles/linux_loopback.html
--
Matthew Carpenter
mcarpenter at intelguardians.com
http://www.intelguardians.com
PGP Fingerprint:
87EB 54A8 FB42 0A0E B8AE CDA7 FF99 2A64 E70F 4466
hkp://wwwkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.celestial.com/pipermail/linux-users/attachments/20071221/de91f1ad/attachment-0002.bin
More information about the Linux-users
mailing list