Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re: disk image forensics

by ohcamacj (Beadle)
on Aug 14, 2008 at 07:58 UTC ( [id://704302]=note: print w/replies, xml ) Need Help??


in reply to disk image forensics

It is easy to mount a cdrom or hard drive PARTITION image under linux. 
mount -o loop,ro,noatime cdrom_image.iso mountpoint/
mount -o loop,ro,noatime partition_image.img mountpoint/

[download]
However, directly trying to mount a hard drive image fails, because the start of a disk is not the start of the first partition.
The first sector of a typical hard drive looks something like 
( Description of MSDOS-style partition table and master boot record as
+ gleaned
from the soure of /parted/ and /grub/.  )
---------------------------------------------------------------- 0 - 6
+3
boot code boot code boot code boot code boot code boot code 
---------------------------------------------------------------- 64 - 
+127
boot code boot code boot code boot code boot code boot code 
---------------------------------------------------------------- 128 -
+ 191
boot code boot code boot code boot code boot code boot code 
---------------------------------------------------------------- 192 -
+ 255
boot code boot code boot code boot code boot code boot code 
---------------------------------------------------------------- 256 -
+ 319
boot code boot code boot code boot code boot code boot code 
---------------------------------------------------------------- 320 -
+ 383
boot code boot code boot code boot code boot code boot code 
---------------------------------------------------------------- 384 -
+ 447
boot code boot code boot code boot code (to 440)        AAAABB(
---------------------------------------------------------------- 448 -
+ 511
partion one  )(partion two   )(partion three )(partion four  )CC

AAAA = mbr_sig
BB = unknown 
CC = magic

Each 16 byte partion entry is 
---------------- 0 - 15
ABBBCDDDEEEEFFFF
C = type
BBB,DDD = 
EEEE = start sector from 0
FFFF = length in sectors

[download]
The sector counts are little-endian integers, easily parsable with unpack("V"). Using the offset of the partition, it is possible to mount a partition within a hard drive image file. 
mount -o ro,noatime,loop,offset=<sector offset * 512> hard_drive_image
+.img mountpoint/

[download]
On some older systems, mount only accepts offsets up to 2gb. A simple way to check if this is a problem is to run
losetup -o 5100200300 /dev/loop5 small_file
followed by
losetup /dev/loop5
A system that limits offsets to 2gb will print
/dev/loop5: [XXX]:XXXXXX (small_file) offset 2147483647, no encryption
A system that supports large offsets will print
/dev/loop5: [XXX]:XXXXXX (small file) offset 5100200300, no encryption

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://704302]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (4)
As of 2024-04-23 22:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found