Difference between pages "How to analyse partitions" and "Mounting Disk Images"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Category.)
 
m (To mount a disk image on Linux)
 
Line 1: Line 1:
A How-to for dealing with partitions.
+
= FreeBSD =
  
[http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12] suggests using the ''mmls'' program to display the contents of partitions.
+
To mount a disk image on [[FreeBSD]]:
  
For example:
+
First attach the image to unit #1:
 +
  # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
  
   # mmls -t dos disk.dd
+
Then mount:
  Slot Start End Length Description
+
   # mount -t msdos /dev/md1s1 /mnt
  00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
+
  01: ----- 0000000001 0000000062 0000000062 Unallocated
+
  02: 00:00 0000000063 0002056319 0002056257 Win95 FAT32 (0x0B)
+
  03: 00:01 0002056320 0008209214 0006152895 OpenBSD (0xA6)
+
  04: 00:02 0008209215 0019999727 0011790513 FreeBSD (0xA5)
+
  
You can use mmls to examine the OpenBSD and FreeBSD partitions that are inside the DOS partition:
+
  # ls /mnt
 +
  BOOTLOG.PRV    BOOTLOG.TXT    COMMAND.COM    IO.SYS          MSDOS.SYS
  
  # mmls -t bsd -o 2056321 disk.dd
+
To unmount:
  Length Description
+
  00: 02 0000000000 0019999727 0019999728 Unused (0x00)
+
  01: 08 0000000063 0002056319 0002056257 MSDOS (0x08)
+
  02: 00 0002056320 0002260943 0000204624 4.2BSD (0x07)
+
  03: 01 0002260944 0002875823 0000614880 Swap (0x01)
+
  04: 03 0002875824 0003080447 0000204624 4.2BSD (0x07)
+
  05: 04 0003080448 0003233663 0000153216 4.2BSD (0x07)
+
  06: 07 0003233664 0004257791 0001024128 4.2BSD (0x07)
+
  07: 06 0004257792 0008209214 0003951423 4.2BSD (0x07)
+
  08: 09 0008209215 0019984859 0011775645 Unknown (0x0A)
+
  
(Examples from [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12])
+
  # umount /mnt
 +
  # mdconfig -d -u 1
  
== External Links ==
+
To mount the image read-only, use:
  
* [http://www.sleuthkit.org/informer/sleuthkit-informer-12.html Sleuth Kit Informer #12: Using mmls from The Sleuth Kit]
+
  # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 +
  # mount -o ro -t msdos /dev/md1s1 /mnt
  
[[Category:Howtos]]
+
= Linux =
 +
 
 +
==To mount a disk image on [[Linux]]==
 +
 
 +
# mount -t vfat -o loop=/dev/loop0,ro,noexec img.dd /mnt
 +
-or-
 +
# mount -t vfat -o loop=/dev/loop/0,ro,noexec img.dd /mnt
 +
 
 +
==To unmount==
 +
 
 +
# umount /mnt
 +
 
 +
To mount the image read-only, use:
 +
 
 +
# mount -t vfat -o ro,loop=/dev/loop0 img.dd /mnt

Revision as of 12:18, 23 May 2006

Contents

FreeBSD

To mount a disk image on FreeBSD:

First attach the image to unit #1: 

 # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1

Then mount: 

 # mount -t msdos /dev/md1s1 /mnt

 # ls /mnt
 BOOTLOG.PRV     BOOTLOG.TXT     COMMAND.COM     IO.SYS          MSDOS.SYS

To unmount: 

 # umount /mnt
 # mdconfig -d -u 1

To mount the image read-only, use: 

 # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 # mount -o ro -t msdos /dev/md1s1 /mnt

Linux

To mount a disk image on Linux

# mount -t vfat -o loop=/dev/loop0,ro,noexec img.dd /mnt

-or- 

# mount -t vfat -o loop=/dev/loop/0,ro,noexec img.dd /mnt

To unmount

# umount /mnt

To mount the image read-only, use: 

# mount -t vfat -o ro,loop=/dev/loop0 img.dd /mnt
Retrieved from "http://www.forensicswiki.org/w/index.php?title=How_to_analyse_partitions&oldid=4999"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox