One problem with imaging each partition is that you may miss some pertinent information. The partitions don't always encompas the entire disk, and a knowledgable intruder might store info in the inter-partition spaces. (one example includes a recent to-do about some Windows Tax software that stored copy-protection information in unused portions of the boot track) If you're making copies for forensic reasons, you're probably best to make a proper copy of the entire disk and then either do ofset mounts (as below) or make 'live' copies of the various partitions to play with if you find that a bit easier. jcreyesat_private wrote: > Maybe the easiest way for image that disc is using dd for each partition, > if possible (you must be able to watch thru al fdisk the partitions), a > -----Original Message----- > From: "Luis Gomez" <lgomezat_private> > It's perfectly possible, but you forgot an important point: you imaged a > DRIVE, and want to mount a PARTITION. IIRC, there are 63 blocks of 512 bytes > between the beginning of the disk and the beginning of the partition, so how > about losetup /dev/loop0 testing.bin -o 63 -- Stephen Samuel +1(604)876-0426 samuelat_private http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 17:40:17 PST