|
Forensics
Linux, dd, and image file Apr 01 2003 04:31PM Sabol, Paul (PSABOL mgmmirage com) (6 replies) Re: Linux, dd, and image file Apr 02 2003 06:19AM Grega Bremec (gregab gbsoft org) (1 replies) Re: Linux, dd, and image file Apr 02 2003 03:28PM Brian Carrier (carrier cerias purdue edu) (1 replies) |
|
|
Privacy Statement |
> I have been trying to mount an NTFS image file based on a procedure I had
> for mounting floppy disk images and viewing them read only.
>
> Basically, I md5 the original drive, make a working directory on my Linux
> drive, and then 'dd if=/dev/hdc of=testing.bin conv=notrunc,noerror,sync".
> I then make a /mnt/windows directory to be used as the mount point and chmod
> 777 this directory.
>
> The binary file is created fine, and the md5 hash of the file is the same as
> the original drive. But here is where I get stuck.
>
> I do the following:
>
> # losetup /dev/loop0 testing.bin
> # mount -r -t ntfs /dev/loop0 /mnt/windows
>
> It keeps telling me:
>
> mount: wrong fs type, bad option, bad superblock on /dev/loop0,
> or too many mounted file systems
>
> I am sure there are not too many mounted file systems, and I am sure the
> original drive from which the dd came was NTFS. I have ntfs compiled in the
> kernel. I'm using Red Hat 8.0 for this.
>
> Anyone have any ideas, or is what I am attempting even possible?
Sure it is, but you forgot to honor the MBR and partition tables at
the beginning of your drive. There is of course no NTFS at /dev/hdc
but /dev/hdc1 (or whereever that partition is).
What you can do with your /dev/loop0 is working with fdisk at it like
you do this with /dev/hdc. fdisk may tell you that there is a par-
tition at /dev/loop0p0 (which it is simply by numbering) but you won't
find such a device in /dev/ so there's no way to mount it.
The only way to mount it in the image is to find the offset where
the partition starts. You can calculate this by multiplying sector
size, sectors-per-cylinder and the cylinder number of the partition
in question.
For example, if your NTFS partition starts at cylinder 1, your sectors-
per-cylinder is 63 and your sector size is 512 bytes, you end up with
an offset of 32256 bytes where the partition starts. Thus, you can
# losetup -o 32256 /dev/loop1 testing.bin
# mount -r -t ntfs /dev/loop1 /mnt/windows
successfully. /dev/loop0 will then represent /dev/hdc and /dev/loop1
will refer to /dev/hdc1, and so on....
Regards,
--
Birger Tödtmann
Lehrstuhl Technik der Rechnernetze
Institut für Experimentelle Mathematik und Institut für Informatik und Wirtschaftsinformatik
Universitst Duisburg-Essen, Standort Essen
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]