Difference between pages "Mounting Disk Images" and "Compression"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (kpartx)
 
(LZ1)
 
Line 1: Line 1:
= FreeBSD =
+
{{Expand}}
  
To mount a disk image on [[FreeBSD]]:
+
== External Links ==
 +
* [http://www.coderforlife.com/ Microsoft Compression Formats]
  
First attach the image to unit #1:
+
=== LZ1 ===
  # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
+
* [http://andyh.org/LZ1.html LZ1]
 
+
Then mount:
+
  # mount -t msdos /dev/md1s1 /mnt
+
 
+
  # ls /mnt
+
  BOOTLOG.PRV    BOOTLOG.TXT    COMMAND.COM    IO.SYS          MSDOS.SYS
+
 
+
To unmount:
+
 
+
  # umount /mnt
+
  # mdconfig -d -u 1
+
 
+
To mount the image read-only, use:
+
 
+
  # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
+
  # mount -o ro -t msdos /dev/md1s1 /mnt
+
 
+
= Linux =
+
 
+
==To mount a disk image on [[Linux]]==
+
 
+
# mount -t vfat -o loop,ro,noexec img.dd /mnt
+
 
+
The '''''ro''''' is for read-only.
+
 
+
This will mount NSRL ISOs:
+
 
+
  # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec
+
 
+
Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.
+
 
+
# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
+
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
+
 
+
===kpartx===
+
 
+
Mounting raw images with multiple partitions is easy with ''kpartx''. Type ''aptitude install kpartx'' as root to install ''kpartx'' under Debian. ''kpartx'' is creating device-mappings for each partition. If the raw image looks like this:
+
 
+
        Device        Boot      Start      End      Blocks Id  System
+
    rawimage.dd1              1          1        8001  83  Linux
+
    rawimage.dd2              2          2        8032+  5  Extended
+
    rawimage.dd5              2          2        8001  83  Linux
+
 
+
The command
+
 
+
#  kpartx -v -a rawimage.dd
+
 
+
creates these mappings
+
 
+
    /dev/mapper/loop0p1
+
    /dev/mapper/loop0p2
+
    /dev/mapper/loop0p5
+
 
+
The partitions can be mounted with these commands:
+
 
+
# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
+
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro
+
 
+
Don't forget the switch '''''-o ro''''' !
+
 
+
==To unmount==
+
 
+
# umount /mnt
+
 
+
== Mounting Images Using Alternate Superblocks ==
+
 
+
* [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks]
+
 
+
[[Category:Howtos]]
+

Revision as of 02:09, 9 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

External Links

LZ1