ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Mounting Disk Images"

From ForensicsWiki
Jump to: navigation, search
m
 
(Free Tools)
(16 intermediate revisions by 6 users not shown)
Line 1: Line 1:
=FreeBSD=
+
= FreeBSD =
To mount a disk image on FreeBSD:
+
  
First attach to image to unit #1:
+
To mount a disk image on [[FreeBSD]]:
 +
 
 +
First attach the image to unit #1:
 
   # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
 
   # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
  
Line 20: Line 21:
 
   # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 
   # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 
   # mount -o ro -t msdos /dev/md1s1 /mnt
 
   # mount -o ro -t msdos /dev/md1s1 /mnt
 +
 +
= Linux =
 +
 +
==To mount a disk image on [[Linux]]==
 +
 +
# mount -t vfat -o loop,ro,noexec img.dd /mnt
 +
 +
The '''''ro''''' is for read-only.
 +
 +
This will mount NSRL ISOs:
 +
 +
  # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec
 +
 +
Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.
 +
 +
# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
 +
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
 +
 +
===kpartx===
 +
 +
Mounting raw images with multiple partitions is easy with ''kpartx''. Type ''aptitude install kpartx'' as root to install ''kpartx'' under Debian. ''kpartx'' is creating device-mappings for each partition. If the raw image looks like this:
 +
 +
        Device        Boot      Start      End      Blocks Id  System
 +
    rawimage.dd1              1          1        8001  83  Linux
 +
    rawimage.dd2              2          2        8032+  5  Extended
 +
    rawimage.dd5              2          2        8001  83  Linux
 +
 +
The command
 +
 +
#  kpartx -v -a rawimage.dd
 +
 +
creates these mappings
 +
 +
    /dev/mapper/loop0p1
 +
    /dev/mapper/loop0p2
 +
    /dev/mapper/loop0p5
 +
 +
The partitions can be mounted with these commands:
 +
 +
# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
 +
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro
 +
 +
Don't forget the switch '''''-o ro''''' !
 +
 +
==To unmount==
 +
 +
# umount /mnt
 +
 +
== Mounting Images Using Alternate Superblocks ==
 +
 +
* [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks]
 +
 +
= Windows =
 +
 +
MS Windows does not include a native means for mounting acquired images.  However, there are tools available for mounting acquired images on Windows systems.
 +
 +
== Free Tools ==
 +
 +
* [http://accessdata.com/support/adownloads#FTKImager FTK Imager v.3.0]
 +
* [http://www.ltr-data.se/opencode.html#ImDisk ImDisk] - also on [http://en.wikipedia.org/wiki/ImDisk WikiPedia]
 +
* Paraben's [http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=268 P2 Explorer]
 +
* [http://www.vmxbuilder.com/vdk-gui/ VDKWin], requires [http://chitchat.at.infoseek.co.jp/vmware/vdk.html VDK]
 +
* [http://archive.msdn.microsoft.com/vhdtool vhdtool] - an unsupported MS tool that you can use to convert a raw/dd image to a VHD file and mount as a read-only volume via Disk Manager
 +
 +
== Commercial Tools ==
 +
 +
* [http://www.asrdata.com/SmartMount/ SmartMount]
 +
* [http://www.mountimage.com/ Mount Image Pro] - has a 14-day trial version
 +
 +
[[Category:Howtos]]

Revision as of 20:35, 23 August 2011

FreeBSD

To mount a disk image on FreeBSD:

First attach the image to unit #1:

 # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1

Then mount:

 # mount -t msdos /dev/md1s1 /mnt
 # ls /mnt
 BOOTLOG.PRV     BOOTLOG.TXT     COMMAND.COM     IO.SYS          MSDOS.SYS

To unmount:

 # umount /mnt
 # mdconfig -d -u 1

To mount the image read-only, use:

 # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 # mount -o ro -t msdos /dev/md1s1 /mnt

Linux

To mount a disk image on Linux

# mount -t vfat -o loop,ro,noexec img.dd /mnt

The ro is for read-only.

This will mount NSRL ISOs:

 # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec 

Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.

# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2

kpartx

Mounting raw images with multiple partitions is easy with kpartx. Type aptitude install kpartx as root to install kpartx under Debian. kpartx is creating device-mappings for each partition. If the raw image looks like this:

       Device        Boot      Start       End      Blocks Id  System
    rawimage.dd1               1           1        8001   83  Linux
    rawimage.dd2               2           2        8032+   5  Extended
    rawimage.dd5               2           2        8001   83  Linux

The command

#   kpartx -v -a rawimage.dd

creates these mappings

   /dev/mapper/loop0p1
   /dev/mapper/loop0p2
   /dev/mapper/loop0p5

The partitions can be mounted with these commands:

# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro

Don't forget the switch -o ro !

To unmount

# umount /mnt

Mounting Images Using Alternate Superblocks

Windows

MS Windows does not include a native means for mounting acquired images. However, there are tools available for mounting acquired images on Windows systems.

Free Tools

Commercial Tools