Difference between pages "Mounting Disk Images" and "Hard Drive Passwords"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(To mount a disk image on Linux using kpartx)
 
m (--- ->—)
 
Line 1: Line 1:
= FreeBSD =
+
Some hard drives support passwords. These passwords can be implemented in computer's operating system, its BIOS, or even in the hard drive's firmware.  Passwords implemented in the OS are the easiest to remove, those in the firmware are the hardest.
  
To mount a disk image on [[FreeBSD]]:
+
Sometimes people use the term "password" but the hard drive is really [[Full Disk Encryption|encrypted]], and the password is used to unlock a decryption key. These passwords cannot be removed — the encryption key must be cracked or discovered through another means.
  
First attach the image to unit #1:
+
=Vendors=
  # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
+
Disklabs (www.disklabs.com) is able to remove some forms of hard drive passwords.
  
Then mount:
+
Dell will assist law enforcement in removing the passwords from password-protected hard drives. You need to provide Dell with a copy of the search warrant and the computer's service tag #. Reportedly this can be done over the phone, once you have a good relationship with Dell.
  # mount -t msdos /dev/md1s1 /mnt
+
 
+
  # ls /mnt
+
  BOOTLOG.PRV    BOOTLOG.TXT    COMMAND.COM    IO.SYS          MSDOS.SYS
+
 
+
To unmount:
+
 
+
  # umount /mnt
+
  # mdconfig -d -u 1
+
 
+
To mount the image read-only, use:
+
 
+
  # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
+
  # mount -o ro -t msdos /dev/md1s1 /mnt
+
 
+
= Linux =
+
 
+
==To mount a disk image on [[Linux]]==
+
 
+
# mount -t vfat -o loop,ro,noexec img.dd /mnt
+
 
+
The '''''ro''''' is for read-only.
+
 
+
This will mount NSRL ISOs:
+
 
+
  # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec
+
 
+
Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.
+
 
+
# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
+
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
+
 
+
===kpartx===
+
 
+
Mounting raw images with multiple partitions is easy with ''kpartx''. Type ''aptitude install kpartx'' as root to install ''kpartx'' unter Debian. ''kpartx'' is creating device-mappings for each partition. If the raw image looks like this:
+
 
+
        Device        Boot      Start      End      Blocks Id  System
+
    rawimage.dd1              1          1        8001  83  Linux
+
    rawimage.dd2              2          2        8032+  5  Extended
+
    rawimage.dd5              2          2        8001  83  Linux
+
 
+
creates the command
+
 
+
#  kpartx -v -a rawimage.dd
+
 
+
this mappings
+
 
+
    /dev/mapper/loop0p1
+
    /dev/mapper/loop0p2
+
    /dev/mapper/loop0p5
+
 
+
The Partitions can now mount easy with  
+
 
+
# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
+
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro
+
 
+
Don't forget the switch '''''-o ro''''' !
+
 
+
==To unmount==
+
 
+
# umount /mnt
+
 
+
== Mounting Images Using Alternate Superblocks ==
+
 
+
* [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks]
+
 
+
[[Category:Howtos]]
+

Revision as of 11:11, 17 July 2008

Some hard drives support passwords. These passwords can be implemented in computer's operating system, its BIOS, or even in the hard drive's firmware. Passwords implemented in the OS are the easiest to remove, those in the firmware are the hardest.

Sometimes people use the term "password" but the hard drive is really encrypted, and the password is used to unlock a decryption key. These passwords cannot be removed — the encryption key must be cracked or discovered through another means.

Vendors

Disklabs (www.disklabs.com) is able to remove some forms of hard drive passwords.

Dell will assist law enforcement in removing the passwords from password-protected hard drives. You need to provide Dell with a copy of the search warrant and the computer's service tag #. Reportedly this can be done over the phone, once you have a good relationship with Dell.