Difference between pages "Mounting Disk Images" and "Slack"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (To mount a disk image on Linux)
 
m
 
Line 1: Line 1:
= FreeBSD =
+
{{Expand}}
  
To mount a disk image on [[FreeBSD]]:
+
== Definition ==
  
First attach the image to unit #1:
+
In Computer Forensics '''slack''' refers to the bytes after the logical end of a file and the end of the cluster wherein the final byte of the valid file resides.
  # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
+
  
Then mount:
+
== Slack Types ==
  # mount -t msdos /dev/md1s1 /mnt
+
  
  # ls /mnt
+
=== RAM Slack ===
  BOOTLOG.PRV    BOOTLOG.TXT    COMMAND.COM    IO.SYS          MSDOS.SYS
+
  
To unmount:
+
=== File Slack ===
  
  # umount /mnt
+
== External Links ==
  # mdconfig -d -u 1
+
 
+
To mount the image read-only, use:
+
 
+
  # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
+
  # mount -o ro -t msdos /dev/md1s1 /mnt
+
 
+
= Linux =
+
 
+
==To mount a disk image on [[Linux]]==
+
 
+
# mount -t vfat -o loop=/dev/loop0,ro,noexec img.dd /mnt
+
-or-
+
# mount -t vfat -o loop=/dev/loop/0,ro,noexec img.dd /mnt
+
 
+
The '''''ro''''' is for read-only.
+
 
+
 
+
Some raw images contains multiple partitions (full HD image). In this case, it's necessary to specify a starting offset for each partition.
+
 
+
# mount -t vfat -o loop=/dev/loop0,offset=32256,ro,noexec img.dd /mnt/tmp_1
+
# mount -t vfat -o loop=/dev/loop1,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
+
 
+
==To unmount==
+
 
+
# umount /mnt
+

Revision as of 11:19, 3 March 2008

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Definition

In Computer Forensics slack refers to the bytes after the logical end of a file and the end of the cluster wherein the final byte of the valid file resides.

Slack Types

RAM Slack

File Slack

External Links