Difference between revisions of "Mounting Disk Images"
From Forensics Wiki
m (→kpartx) |
(→Free Tools) |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 48: | Line 48: | ||
rawimage.dd5 2 2 8001 83 Linux | rawimage.dd5 2 2 8001 83 Linux | ||
| − | + | The command | |
# kpartx -v -a rawimage.dd | # kpartx -v -a rawimage.dd | ||
| − | + | creates these mappings | |
/dev/mapper/loop0p1 | /dev/mapper/loop0p1 | ||
| Line 58: | Line 58: | ||
/dev/mapper/loop0p5 | /dev/mapper/loop0p5 | ||
| − | The | + | The partitions can be mounted with these commands: |
# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro | # mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro | ||
| Line 72: | Line 72: | ||
* [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks] | * [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks] | ||
| + | |||
| + | = Windows = | ||
| + | |||
| + | MS Windows does not include a native means for mounting acquired images. However, there are tools available for mounting acquired images on Windows systems. | ||
| + | |||
| + | == Free Tools == | ||
| + | |||
| + | * [http://accessdata.com/support/adownloads#FTKImager FTK Imager v.3.0] | ||
| + | * [http://www.ltr-data.se/opencode.html#ImDisk ImDisk] - also on [http://en.wikipedia.org/wiki/ImDisk WikiPedia] | ||
| + | * Paraben's [http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=268 P2 Explorer] | ||
| + | * [http://www.vmxbuilder.com/vdk-gui/ VDKWin], requires [http://chitchat.at.infoseek.co.jp/vmware/vdk.html VDK] | ||
| + | * [http://archive.msdn.microsoft.com/vhdtool vhdtool] - an unsupported MS tool that you can use to convert a raw/dd image to a VHD file and mount as a read-only volume via Disk Manager | ||
| + | |||
| + | == Commercial Tools == | ||
| + | |||
| + | * [http://www.asrdata.com/SmartMount/ SmartMount] | ||
| + | * [http://www.mountimage.com/ Mount Image Pro] - has a 14-day trial version | ||
[[Category:Howtos]] | [[Category:Howtos]] | ||
Latest revision as of 15:35, 23 August 2011
Contents |
[edit] FreeBSD
To mount a disk image on FreeBSD:
First attach the image to unit #1:
# mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
Then mount:
# mount -t msdos /dev/md1s1 /mnt
# ls /mnt BOOTLOG.PRV BOOTLOG.TXT COMMAND.COM IO.SYS MSDOS.SYS
To unmount:
# umount /mnt # mdconfig -d -u 1
To mount the image read-only, use:
# mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1 # mount -o ro -t msdos /dev/md1s1 /mnt
[edit] Linux
[edit] To mount a disk image on Linux
# mount -t vfat -o loop,ro,noexec img.dd /mnt
The ro is for read-only.
This will mount NSRL ISOs:
# mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec
Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.
# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1 # mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
[edit] kpartx
Mounting raw images with multiple partitions is easy with kpartx. Type aptitude install kpartx as root to install kpartx under Debian. kpartx is creating device-mappings for each partition. If the raw image looks like this:
Device Boot Start End Blocks Id System
rawimage.dd1 1 1 8001 83 Linux
rawimage.dd2 2 2 8032+ 5 Extended
rawimage.dd5 2 2 8001 83 Linux
The command
# kpartx -v -a rawimage.dd
creates these mappings
/dev/mapper/loop0p1 /dev/mapper/loop0p2 /dev/mapper/loop0p5
The partitions can be mounted with these commands:
# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro # mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro
Don't forget the switch -o ro !
[edit] To unmount
# umount /mnt
[edit] Mounting Images Using Alternate Superblocks
[edit] Windows
MS Windows does not include a native means for mounting acquired images. However, there are tools available for mounting acquired images on Windows systems.
[edit] Free Tools
- FTK Imager v.3.0
- ImDisk - also on WikiPedia
- Paraben's P2 Explorer
- VDKWin, requires VDK
- vhdtool - an unsupported MS tool that you can use to convert a raw/dd image to a VHD file and mount as a read-only volume via Disk Manager
[edit] Commercial Tools
- SmartMount
- Mount Image Pro - has a 14-day trial version
