Disk Images: Difference between revisions

From MediaWiki
Jump to navigationJump to search
Line 67: Line 67:




= Mounting A Partition From A Disk Image =
= How Do I Mount A Partition From A Disk Image? =


Mounting a partition within a disk image is a bit trickier. In order to mount a partition from within a disk image, you must compute the offset to the start of the partition. To compute the offset, you need the following values from the output of ''fdisk -l IMAGE_FILE'':
Mounting a partition within a disk image is a bit trickier. In order to mount a partition from within a disk image, you must compute the offset to the start of the partition. To compute the offset, you need the following values from the output of ''sfdisk -l IMAGE_FILE'':


* T - The sectors/track value
* T - The sectors/track value
* B - The block size
* B - The block size
* 512 - The constant 512
* 512 - The constant 512
* S - The starting block (sum of ''Blocks'' from previous rows - or 0 for first row)
* S - The starting block of the partition


The offset to the partition is then computed as follows:
The offset to the partition is then computed as follows:
Line 88: Line 88:
  Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0
  Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0
   
   
     Device Boot Start    End  #cyls    #blocks  Id  System
     Device Boot     Start    End  #cyls    #blocks  Id  System
  /tmp/disk.img1          0+      4      5-    40131    b  W95 FAT32
  /tmp/disk.img1          0+      4      5-    40131    b  W95 FAT32
  /tmp/disk.img2          5      6      2      16065  83  Linux
  /tmp/disk.img2          5      6      2      16065  83  Linux
Line 95: Line 95:
  [root@cayenne-e ~]#  
  [root@cayenne-e ~]#  


In the output above, if we wanted to mount the second partition (''Linux'') shown in the partition table, we would set T=63, B=1024, and S=40131 (the 40131 is the sum of the ''Blocks'' column for all of the partitions that come before the ''Linux'' partition we are trying to mount) and compute the offset as follows:
In the output above, if we wanted to mount the second partition (''Linux'') shown in the partition table, we would set T=63, B=1024, and S=40131 (the 40131 is the sum of the ''#blocks'' column for all of the partitions that come before the ''Linux'' partition we are trying to mount) and compute the offset as follows:


  (S * B) + (T * 512) = (40131 * 1024) + (63 * 512)
  (S * B) + (T * 512) = (40131 * 1024) + (63 * 512)

Revision as of 14:47, 1 March 2010

Overview

When trying to do forensics or recovery on a disk, it is often desirable to make a copy of the entire disk to a single file (a "disk image").

Making A Copy Of A Disk

Making a copy of a disk is a relatively simple process as long as you have enough free space on another disk to copy the disk image to.

  • Identify the device entry for the disk (something like: /dev/sda).
  • Copy the device entry to a file on a different disk.

You can use the fdisk -l command to help identify the disk device entries. For example:

[root@cayenne-e ~]# fdisk -l

Disk /dev/sda: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x8da2c67c

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1       13055   104857600    7  HPFS/NTFS
/dev/sda2           29094       30400    10485760   1b  Hidden W95 FAT32
/dev/sda3           30400       30401       16064+  ef  EFI (FAT-12/16/32)
/dev/sda4           13056       29093   128825235    5  Extended
/dev/sda5   *       13056       13081      204800   83  Linux
/dev/sda6           13081       18180    40959999+  83  Linux
/dev/sda7           18181       18310     1044193+  83  Linux

Partition table entries are not in disk order

Disk /dev/sdb: 62 MB, 62390272 bytes
255 heads, 63 sectors/track, 7 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0003bc6e

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1               1           5       40131    b  W95 FAT32
/dev/sdb2               6           7       16065   83  Linux
[root@cayenne-e ~]# 

The above output indicates that there are two disks on the system /dev/sda (250GB) and /dev/sdb (62MB). The following command will copy the contents of the 62MB disk (/dev/sdb) to the file: /tmp/disk.img:

[root@cayenne-e ~]# cp /dev/sdb /tmp/disk.img
[root@cayenne-e ~]#

Now that we have a copy of the contents of the physical contents of /dev/sdb we will no longer need to directly access /dev/sdb.


Listing The Partitions In A Disk Image

You can print the partition table of a "disk image" (a file containing the raw contents of a disk), using the fdisk command as shown below:

[root@cayenne-e ~]# fdisk -l /tmp/disk.img
You must set cylinders.
You can do this from the extra functions menu.

Disk /tmp/disk.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0003bc6e

        Device Boot      Start         End      Blocks   Id  System
/tmp/disk.img1               1           5       40131    b  W95 FAT32
/tmp/disk.img2               6           7       16065   83  Linux
[root@cayenne-e ~]# 


How Do I Mount A Partition From A Disk Image?

Mounting a partition within a disk image is a bit trickier. In order to mount a partition from within a disk image, you must compute the offset to the start of the partition. To compute the offset, you need the following values from the output of sfdisk -l IMAGE_FILE:

  • T - The sectors/track value
  • B - The block size
  • 512 - The constant 512
  • S - The starting block of the partition

The offset to the partition is then computed as follows:

(S * B) + (T * 512)

For example, take a look at the partition table within the disk image /tmp/disk.img:

[root@cayenne-e ~]# sfdisk -l /tmp/disk.img
Disk /tmp/disk.img: cannot get geometry

Disk /tmp/disk.img: 7 cylinders, 255 heads, 63 sectors/track
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

   Device Boot      Start     End   #cyls    #blocks   Id  System
/tmp/disk.img1          0+      4       5-     40131    b  W95 FAT32
/tmp/disk.img2          5       6       2      16065   83  Linux
/tmp/disk.img3          0       -       0          0    0  Empty
/tmp/disk.img4          0       -       0          0    0  Empty
[root@cayenne-e ~]# 

In the output above, if we wanted to mount the second partition (Linux) shown in the partition table, we would set T=63, B=1024, and S=40131 (the 40131 is the sum of the #blocks column for all of the partitions that come before the Linux partition we are trying to mount) and compute the offset as follows:

(S * B) + (T * 512) = (40131 * 1024) + (63 * 512)

So, to mount the second partition using, we would use the following command sequence:

[root@cayenne-e ~]# mkdir /mnt/img
[root@cayenne-e ~]# OFFSET=$(( (40131 * 1024) + (63 * 512) ))
[root@cayenne-e ~]# echo $OFFSET
41126400
[root@cayenne-e ~]# mount -o loop,offset=${OFFSET} /tmp/disk.img /mnt/img
[root@cayenne-e ~]# ls -l /mnt/img
total 4705
drwx------ 2 root root   12288 2010-03-01 12:29 lost+found
-rw------- 1 root root 4784530 2010-03-01 12:40 messages
[root@cayenne-e ~]# 

At this point, we can now read and write to the Linux partition on the disk image as if it were the original drive:

[root@cayenne-e ~]# echo "Hello World" >| /mnt/img/hello.txt
[root@cayenne-e ~]# cat /mnt/img/hello.txt
Hello World
[root@cayenne-e ~]# 

Finally, after we are done using the disk image, we'll use the umount command to release it:

[root@cayenne-e ~]# umount /mnt/img
[root@cayenne-e ~]#