Difference between pages "User talk:Simsong" and "Mounting Disk Images"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
m
 
Line 1: Line 1:
~~
+
= FreeBSD =
[[User:Simsong|Simsong]]
+
[[User:Simsong|Simsong]] 05:39, 31 October 2008 (UTC)
+
http://simson.net/
+
  
It seems that pages with "+" in title are not properly handled. Look at [[3+1_Data_Recovery]] [[User:.FUF|.FUF]] 08:13, 18 July 2009 (UTC)
+
To mount a disk image on [[FreeBSD]]:
: I can't figure out how that page was made. It seems that the + is escaped into a space per URL standards. I will see if I can fix it in the raw SQl database... [[User:Simsong|Simsong]] 13:53, 18 July 2009 (UTC)
+
 
: Found it. See http://en.wikipedia.org/wiki/Wikipedia:Naming_conventions_(technical_restrictions)
+
First attach the image to unit #1:
: This link may work: [[3%2B1_data_recovery]]
+
  # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
 +
 
 +
Then mount:
 +
  # mount -t msdos /dev/md1s1 /mnt
 +
 
 +
  # ls /mnt
 +
  BOOTLOG.PRV    BOOTLOG.TXT    COMMAND.COM    IO.SYS          MSDOS.SYS
 +
 
 +
To unmount:
 +
 
 +
  # umount /mnt
 +
  # mdconfig -d -u 1
 +
 
 +
To mount the image read-only, use:
 +
 
 +
  # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 +
  # mount -o ro -t msdos /dev/md1s1 /mnt
 +
 
 +
= Linux =
 +
 
 +
==To mount a disk image on [[Linux]]==
 +
 
 +
# mount -t vfat -o loop=/dev/loop0,ro,noexec img.dd /mnt
 +
-or-
 +
# mount -t vfat -o loop=/dev/loop/0,ro,noexec img.dd /mnt
 +
 
 +
The '''''ro''''' is for read-only (loop device is required since some file systems can alter the data even with '''''ro''''' option).
 +
 
 +
This will mount NSRL ISOs:
 +
 
 +
  # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop=/dev/loop3,ro,noexec
 +
 
 +
 
 +
Some raw images contains multiple partitions (full HD image). In this case, it's necessary to specify a starting offset for each partition.
 +
 
 +
# mount -t vfat -o loop=/dev/loop0,offset=32256,ro,noexec img.dd /mnt/tmp_1
 +
# mount -t vfat -o loop=/dev/loop1,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
 +
 
 +
 
 +
'''Note: You may need to say /dev/loop/0 instead of /dev/loop0 on some systems'''
 +
 
 +
==To unmount==
 +
 
 +
# umount /mnt
 +
 
 +
== Mounting Images Using Alternate Superblocks ==
 +
 
 +
* [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks]
 +
 
 +
[[Category:Howtos]]

Revision as of 13:09, 26 July 2009

FreeBSD

To mount a disk image on FreeBSD:

First attach the image to unit #1:

 # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1

Then mount:

 # mount -t msdos /dev/md1s1 /mnt
 # ls /mnt
 BOOTLOG.PRV     BOOTLOG.TXT     COMMAND.COM     IO.SYS          MSDOS.SYS

To unmount:

 # umount /mnt
 # mdconfig -d -u 1

To mount the image read-only, use:

 # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 # mount -o ro -t msdos /dev/md1s1 /mnt

Linux

To mount a disk image on Linux

# mount -t vfat -o loop=/dev/loop0,ro,noexec img.dd /mnt

-or-

# mount -t vfat -o loop=/dev/loop/0,ro,noexec img.dd /mnt

The ro is for read-only (loop device is required since some file systems can alter the data even with ro option).

This will mount NSRL ISOs:

 # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop=/dev/loop3,ro,noexec 


Some raw images contains multiple partitions (full HD image). In this case, it's necessary to specify a starting offset for each partition.

# mount -t vfat -o loop=/dev/loop0,offset=32256,ro,noexec img.dd /mnt/tmp_1
# mount -t vfat -o loop=/dev/loop1,offset=20974464000,ro,noexec img.dd /mnt/tmp_2


Note: You may need to say /dev/loop/0 instead of /dev/loop0 on some systems

To unmount

# umount /mnt

Mounting Images Using Alternate Superblocks