RE: Linux, dd, and image file

From: Jason Upchurch (churchat_private)
Date: Thu Apr 03 2003 - 19:25:19 PST

Next message: Ralf Spenneberg: "Re: [sleuthkit-users] Sleuth Kit 1.61 and Autopsy 1.71 Release"

Previous message: Dan Rathbun: "Imaging Win95 volumes with dd.exe ?"
In reply to: Sabol, Paul: "RE: Linux, dd, and image file"
Next in thread: Altheide, Cory B.: "RE: Linux, dd, and image file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Birger has it exactly right.  fdisk -ul with give you the offset in
sectors, multiply that number by 512 and you will have the offset in
bytes for each partition, just in case you have more than one ;)

Oh, and there is a 2 GB limit for offsets with losetup, ie you can not
go further than 2 GB into the disk for that partition you seek.  This is
a kernel limitation that has yet to be fixed. If someone has a modified
kernel to fix this limit, please let me know!!!

Jason Upchurch

-----Original Message-----
From: Sabol, Paul [mailto:PSABOLat_private] 
Sent: Wednesday, April 02, 2003 4:53 PM
To: forensicsat_private
Subject: RE: Linux, dd, and image file

Ah, that got it.  Now that I've stepped back and looked at your
comments, it
makes perfect sense.  Thanks to all for the assist.

-----Original Message-----
From: Grega Bremec [mailto:gregabat_private]
Sent: Tuesday, April 01, 2003 10:20 PM
To: forensicsat_private
Subject: Re: Linux, dd, and image file


...and on Tue, Apr 01, 2003 at 08:31:10AM -0800, Sabol, Paul used the
keyboard:
<snip>
> Basically, I md5 the original drive, make a working directory on my
Linux
> drive, and then 'dd if=/dev/hdc of=testing.bin
conv=notrunc,noerror,sync".
> I then make a /mnt/windows directory to be used as the mount point and
chmod
> 777 this directory.

All well and fine, but you've just created an image of the entire hard
drive, my friend, which is why mount is complaining, as there clearly
isn't a valid superblock, but instead a master boot record. :)

You should check out the partition table using "fdisk -l /dev/hdc",
then "dd if=/dev/hdc1 ..." if the NTFS partition is the first and/or
the only one on that disk, or use the corresponding partition number.

<snip>
> I do the following:
> 
> # losetup /dev/loop0 testing.bin
> # mount -r -t ntfs /dev/loop0 /mnt/windows

Just a note: the following is also possible and saves you one step:

    $ mount -t ntfs -o loop ./testing.bin /mnt/windows

Cheers & good luck,
-- 
    Grega Bremec
    grega.bremec-at-gbsoft.org
    http://najdi.si/
    http://www.gbsoft.org/
    http://www.noviforum.si/

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ralf Spenneberg: "Re: [sleuthkit-users] Sleuth Kit 1.61 and Autopsy 1.71 Release"
Previous message: Dan Rathbun: "Imaging Win95 volumes with dd.exe ?"
In reply to: Sabol, Paul: "RE: Linux, dd, and image file"
Next in thread: Altheide, Cory B.: "RE: Linux, dd, and image file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 08 2003 - 16:11:11 PDT