Birger has it exactly right. fdisk -ul with give you the offset in sectors, multiply that number by 512 and you will have the offset in bytes for each partition, just in case you have more than one ;) Oh, and there is a 2 GB limit for offsets with losetup, ie you can not go further than 2 GB into the disk for that partition you seek. This is a kernel limitation that has yet to be fixed. If someone has a modified kernel to fix this limit, please let me know!!! Jason Upchurch -----Original Message----- From: Sabol, Paul [mailto:PSABOLat_private] Sent: Wednesday, April 02, 2003 4:53 PM To: forensicsat_private Subject: RE: Linux, dd, and image file Ah, that got it. Now that I've stepped back and looked at your comments, it makes perfect sense. Thanks to all for the assist. -----Original Message----- From: Grega Bremec [mailto:gregabat_private] Sent: Tuesday, April 01, 2003 10:20 PM To: forensicsat_private Subject: Re: Linux, dd, and image file ...and on Tue, Apr 01, 2003 at 08:31:10AM -0800, Sabol, Paul used the keyboard: <snip> > Basically, I md5 the original drive, make a working directory on my Linux > drive, and then 'dd if=/dev/hdc of=testing.bin conv=notrunc,noerror,sync". > I then make a /mnt/windows directory to be used as the mount point and chmod > 777 this directory. All well and fine, but you've just created an image of the entire hard drive, my friend, which is why mount is complaining, as there clearly isn't a valid superblock, but instead a master boot record. :) You should check out the partition table using "fdisk -l /dev/hdc", then "dd if=/dev/hdc1 ..." if the NTFS partition is the first and/or the only one on that disk, or use the corresponding partition number. <snip> > I do the following: > > # losetup /dev/loop0 testing.bin > # mount -r -t ntfs /dev/loop0 /mnt/windows Just a note: the following is also possible and saves you one step: $ mount -t ntfs -o loop ./testing.bin /mnt/windows Cheers & good luck, -- Grega Bremec grega.bremec-at-gbsoft.org http://najdi.si/ http://www.gbsoft.org/ http://www.noviforum.si/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 08 2003 - 16:11:11 PDT