Difference between revisions of "Mounting Disk Images"

From Forensics Wiki
Jump to: navigation, search
m (Linux)
(Free Tools)
 
(14 intermediate revisions by 5 users not shown)
Line 26: Line 26:
 
==To mount a disk image on [[Linux]]==
 
==To mount a disk image on [[Linux]]==
  
  # mount -t vfat -o loop=/dev/loop0 img.dd /mnt
+
  # mount -t vfat -o loop,ro,noexec img.dd /mnt
-or-
+
# mount -t vfat -o loop=/dev/loop/0 img.dd /mnt
+
  
 +
The '''''ro''''' is for read-only.
 +
 +
This will mount NSRL ISOs:
 +
 +
  # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec
 +
 +
Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.
 +
 +
# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
 +
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
 +
 +
===kpartx===
 +
 +
Mounting raw images with multiple partitions is easy with ''kpartx''. Type ''aptitude install kpartx'' as root to install ''kpartx'' under Debian. ''kpartx'' is creating device-mappings for each partition. If the raw image looks like this:
 +
 +
        Device        Boot      Start      End      Blocks Id  System
 +
    rawimage.dd1              1          1        8001  83  Linux
 +
    rawimage.dd2              2          2        8032+  5  Extended
 +
    rawimage.dd5              2          2        8001  83  Linux
 +
 +
The command
 +
 +
#  kpartx -v -a rawimage.dd
 +
 +
creates these mappings
 +
 +
    /dev/mapper/loop0p1
 +
    /dev/mapper/loop0p2
 +
    /dev/mapper/loop0p5
 +
 +
The partitions can be mounted with these commands:
 +
 +
# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
 +
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro
 +
 +
Don't forget the switch '''''-o ro''''' !
  
 
==To unmount==
 
==To unmount==
Line 35: Line 69:
 
  # umount /mnt
 
  # umount /mnt
  
To mount the image read-only, use:
+
== Mounting Images Using Alternate Superblocks ==
 +
 
 +
* [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks]
 +
 
 +
= Windows =
 +
 
 +
MS Windows does not include a native means for mounting acquired images.  However, there are tools available for mounting acquired images on Windows systems.
 +
 
 +
== Free Tools ==
 +
 
 +
* [http://accessdata.com/support/adownloads#FTKImager FTK Imager v.3.0]
 +
* [http://www.ltr-data.se/opencode.html#ImDisk ImDisk] - also on [http://en.wikipedia.org/wiki/ImDisk WikiPedia]
 +
* Paraben's [http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=268 P2 Explorer]
 +
* [http://www.vmxbuilder.com/vdk-gui/ VDKWin], requires [http://chitchat.at.infoseek.co.jp/vmware/vdk.html VDK]
 +
* [http://archive.msdn.microsoft.com/vhdtool vhdtool] - an unsupported MS tool that you can use to convert a raw/dd image to a VHD file and mount as a read-only volume via Disk Manager
 +
 
 +
== Commercial Tools ==
 +
 
 +
* [http://www.asrdata.com/SmartMount/ SmartMount]
 +
* [http://www.mountimage.com/ Mount Image Pro] - has a 14-day trial version
  
# mount -t vfat -o ro,loop=/dev/loop0 img.dd /mnt
+
[[Category:Howtos]]

Latest revision as of 15:35, 23 August 2011

Contents

FreeBSD

To mount a disk image on FreeBSD:

First attach the image to unit #1:

 # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1

Then mount:

 # mount -t msdos /dev/md1s1 /mnt
 # ls /mnt
 BOOTLOG.PRV     BOOTLOG.TXT     COMMAND.COM     IO.SYS          MSDOS.SYS

To unmount:

 # umount /mnt
 # mdconfig -d -u 1

To mount the image read-only, use:

 # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 # mount -o ro -t msdos /dev/md1s1 /mnt

Linux

To mount a disk image on Linux

# mount -t vfat -o loop,ro,noexec img.dd /mnt

The ro is for read-only.

This will mount NSRL ISOs:

 # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec 

Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.

# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2

kpartx

Mounting raw images with multiple partitions is easy with kpartx. Type aptitude install kpartx as root to install kpartx under Debian. kpartx is creating device-mappings for each partition. If the raw image looks like this:

       Device        Boot      Start       End      Blocks Id  System
    rawimage.dd1               1           1        8001   83  Linux
    rawimage.dd2               2           2        8032+   5  Extended
    rawimage.dd5               2           2        8001   83  Linux

The command

#   kpartx -v -a rawimage.dd

creates these mappings

   /dev/mapper/loop0p1
   /dev/mapper/loop0p2
   /dev/mapper/loop0p5

The partitions can be mounted with these commands:

# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro

Don't forget the switch -o ro !

To unmount

# umount /mnt

Mounting Images Using Alternate Superblocks

Windows

MS Windows does not include a native means for mounting acquired images. However, there are tools available for mounting acquired images on Windows systems.

Free Tools

Commercial Tools