Difference between pages "Mounting Disk Images" and "Remnant Data"

Revision as of 19:35, 31 July 2007

Remnant data is data that can be recovered from magnetic media after new information has been written to that media. Although remnant data has been recovered from magnetic tapes and floppy disks, there is no credible report that has been published in the open literature that remnant data can be recovered from modern hard drives.

@@ Line 1: / Line 1: @@
-= FreeBSD =
+Remnant data is data that can be recovered from magnetic media after new information has been written to that media. Although remnant data has been recovered from magnetic tapes and floppy disks, there is no credible report that has been published in the open literature that remnant data can be recovered from modern hard drives.
-To mount a disk image on [[FreeBSD]]:
-First attach the image to unit #1:
-  # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
-Then mount:
-  # mount -t msdos /dev/md1s1 /mnt
-  # ls /mnt
-  BOOTLOG.PRV     BOOTLOG.TXT     COMMAND.COM     IO.SYS          MSDOS.SYS
-To unmount:
-  # umount /mnt
-  # mdconfig -d -u 1
-To mount the image read-only, use:
-  # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
-  # mount -o ro -t msdos /dev/md1s1 /mnt
-= Linux =
-==To mount a disk image on [[Linux]]==
- # mount -t vfat -o loop,ro,noexec img.dd /mnt
-The '''''ro''''' is for read-only.
-This will mount NSRL ISOs:
-  # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec
-Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.
- # mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
- # mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
-===kpartx===
-Mounting raw images with multiple partitions is easy with ''kpartx''. Type ''aptitude install kpartx'' as root to install ''kpartx'' under Debian. ''kpartx'' is creating device-mappings for each partition. If the raw image looks like this:
-        Device        Boot      Start       End      Blocks Id  System
-     rawimage.dd1               1           1        8001   83  Linux
-     rawimage.dd2               2           2        8032+   5  Extended
-     rawimage.dd5               2           2        8001   83  Linux
-The command
- #   kpartx -v -a rawimage.dd
-creates these mappings
-    /dev/mapper/loop0p1
-    /dev/mapper/loop0p2
-    /dev/mapper/loop0p5
-The partitions can be mounted with these commands:
- # mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
- # mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro
-Don't forget the switch '''''-o ro''''' !
-==To unmount==
- # umount /mnt
-== Mounting Images Using Alternate Superblocks ==
-* [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks]
-= Windows =
-MS Windows does not include a native means for mounting acquired images.  However, there are tools available for mounting acquired images on Windows systems.
-== Free Tools ==
-* [http://accessdata.com/support/adownloads#FTKImager FTK Imager v.3.0]
-* [http://www.ltr-data.se/opencode.html#ImDisk ImDisk] - also on [http://en.wikipedia.org/wiki/ImDisk WikiPedia]
-* Paraben's [http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=268 P2 Explorer]
-* [http://www.vmxbuilder.com/vdk-gui/ VDKWin], requires [http://chitchat.at.infoseek.co.jp/vmware/vdk.html VDK]
-== Commercial Tools ==
-* [http://www.asrdata.com/SmartMount/ SmartMount]
-* [http://www.mountimage.com/ Mount Image Pro] - has a 14-day trial version
-[[Category:Howtos]]

Difference between pages "Mounting Disk Images" and "Remnant Data"

Revision as of 19:35, 31 July 2007

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation:

About forensicswiki.org:

Toolbox