Difference between pages "Mounting Disk Images" and "File:1-BB9780-VendorPlateRemoval.jpg"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (kpartx)
 
 
Line 1: Line 1:
= FreeBSD =
 
  
To mount a disk image on [[FreeBSD]]:
 
 
First attach the image to unit #1:
 
  # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
 
 
Then mount:
 
  # mount -t msdos /dev/md1s1 /mnt
 
 
  # ls /mnt
 
  BOOTLOG.PRV    BOOTLOG.TXT    COMMAND.COM    IO.SYS          MSDOS.SYS
 
 
To unmount:
 
 
  # umount /mnt
 
  # mdconfig -d -u 1
 
 
To mount the image read-only, use:
 
 
  # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 
  # mount -o ro -t msdos /dev/md1s1 /mnt
 
 
= Linux =
 
 
==To mount a disk image on [[Linux]]==
 
 
# mount -t vfat -o loop,ro,noexec img.dd /mnt
 
 
The '''''ro''''' is for read-only.
 
 
This will mount NSRL ISOs:
 
 
  # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec
 
 
Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.
 
 
# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
 
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
 
 
===kpartx===
 
 
Mounting raw images with multiple partitions is easy with ''kpartx''. Type ''aptitude install kpartx'' as root to install ''kpartx'' under Debian. ''kpartx'' is creating device-mappings for each partition. If the raw image looks like this:
 
 
        Device        Boot      Start      End      Blocks Id  System
 
    rawimage.dd1              1          1        8001  83  Linux
 
    rawimage.dd2              2          2        8032+  5  Extended
 
    rawimage.dd5              2          2        8001  83  Linux
 
 
creates the command
 
 
#  kpartx -v -a rawimage.dd
 
 
this mappings
 
 
    /dev/mapper/loop0p1
 
    /dev/mapper/loop0p2
 
    /dev/mapper/loop0p5
 
 
The Partitions can now mount easy with
 
 
# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
 
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro
 
 
Don't forget the switch '''''-o ro''''' !
 
 
==To unmount==
 
 
# umount /mnt
 
 
== Mounting Images Using Alternate Superblocks ==
 
 
* [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks]
 
 
[[Category:Howtos]]
 

Latest revision as of 01:30, 8 August 2013