Difference between pages "Mounting Disk Images" and "Slack"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(To mount a disk image on Linux using kpartx)
 
m
 
Line 1: Line 1:
= FreeBSD =
+
{{Expand}}
  
To mount a disk image on [[FreeBSD]]:
+
== Definition ==
  
First attach the image to unit #1:
+
In Computer Forensics '''slack''' refers to the bytes after the logical end of a file and the end of the cluster wherein the final byte of the valid file resides.
  # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
+
  
Then mount:
+
== Slack Types ==
  # mount -t msdos /dev/md1s1 /mnt
+
  
  # ls /mnt
+
=== RAM Slack ===
  BOOTLOG.PRV    BOOTLOG.TXT    COMMAND.COM    IO.SYS          MSDOS.SYS
+
  
To unmount:
+
=== File Slack ===
  
  # umount /mnt
+
== External Links ==
  # mdconfig -d -u 1
+
 
+
To mount the image read-only, use:
+
 
+
  # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
+
  # mount -o ro -t msdos /dev/md1s1 /mnt
+
 
+
= Linux =
+
 
+
==To mount a disk image on [[Linux]]==
+
 
+
# mount -t vfat -o loop,ro,noexec img.dd /mnt
+
 
+
The '''''ro''''' is for read-only.
+
 
+
This will mount NSRL ISOs:
+
 
+
  # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec
+
 
+
Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.
+
 
+
# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
+
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
+
 
+
===kpartx===
+
 
+
Mounting raw images with multiple partitions is easy with ''kpartx''. Type ''aptitude install kpartx'' as root to install ''kpartx'' unter Debian. ''kpartx'' is creating device-mappings for each partition. If the raw image looks like this:
+
 
+
        Device        Boot      Start      End      Blocks Id  System
+
    rawimage.dd1              1          1        8001  83  Linux
+
    rawimage.dd2              2          2        8032+  5  Extended
+
    rawimage.dd5              2          2        8001  83  Linux
+
 
+
creates the command
+
 
+
#  kpartx -v -a rawimage.dd
+
 
+
this mappings
+
 
+
    /dev/mapper/loop0p1
+
    /dev/mapper/loop0p2
+
    /dev/mapper/loop0p5
+
 
+
The Partitions can now mount easy with
+
 
+
# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
+
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro
+
 
+
Don't forget the switch '''''-o ro''''' !
+
 
+
==To unmount==
+
 
+
# umount /mnt
+
 
+
== Mounting Images Using Alternate Superblocks ==
+
 
+
* [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks]
+
 
+
[[Category:Howtos]]
+

Revision as of 11:19, 3 March 2008

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Contents

Definition

In Computer Forensics slack refers to the bytes after the logical end of a file and the end of the cluster wherein the final byte of the valid file resides.

Slack Types

RAM Slack

File Slack

External Links

Retrieved from "http://www.forensicswiki.org/w/index.php?title=Mounting_Disk_Images&oldid=7051"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox