Re: Problem with mounted vfat image

From: R Andersson (listbox@pole-position.org)
Date: Fri Apr 04 2003 - 00:52:38 PST

Next message: Altheide, Cory B.: "RE: Linux, dd, and image file"

Previous message: Ralf Spenneberg: "Re: [sleuthkit-users] Sleuth Kit 1.61 and Autopsy 1.71 Release"
In reply to: Parth Galen: "Problem with mounted vfat image"
Next in thread: Paul Bakker: "Re: Problem with mounted vfat image"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Parth Galen wrote:
> I have a dd'ed image that fsstat reports as;
> --------
> [root@localhost morgue]# sfdisk -l disk2.2.2.dd
> Disk disk2.2.2.dd: cannot get size
> Disk disk2.2.2.dd: cannot get geometry
> 
> Disk disk2.2.2.dd: 0 cylinders, 0 heads, 0 sectors/track
> Units = megabytes of 1048576 bytes, blocks of 1024 bytes, counting from 0
> 
>    Device Boot Start   End     MB    #blocks   Id  System
> disk2.2.2.dd1   ? 937476+ 1203314- 265839- 272218546+  20  Unknown
> disk2.2.2.dd2   ? 649504+ 912676- 263173- 269488144   6b  Unknown
> disk2.2.2.dd3   ? 263178+ 945972- 682795- 699181456   53  OnTrack DM6 Aux3
> disk2.2.2.dd4   * 680970+ 680980-    11-     10668+  49  Unknown
> ------
[snip]
> I can mount if "successfully" with;
> ------
> # mount disk2.2.2.dd /mnt/vfat -t vfat -r -o ro,loop,show_sys_files=true
> 
> # mount 
> /root/practical/morgue/disk2.2.2.dd on /mnt/vfat type vfat 
> (ro,loop=/dev/loop0,show_sys_files=true)
> ------

So you dumped a partition and not the whole disk. Therefore you can't 
look at partition info, but you can mount the file directly. See the 
thread "Linux, dd, and image file" which discussed the opposite.

> The top level directorys appear "good", but as soon as you drop into a 
> folder or two down, I start getting "garbage" from ls, cat, less, cp... 
> The file and folder names look like pieces from the files themselves 
> rather than the FAT. While the content of the top level files can be 
> accessed (less, cat...), the lower level files contain "garbage".
> 
> I have tried mounting as fat=12, fat=16, fat=32 (which failed), and 
> several other options in mount but keep getting slight variations on the 
> same "corruption" problem.
> 
> So my question is, does anyone have any suggestions on what the problem 
> might be, and how I should proceed?

Was it OK on the original platform? How was the image created? How was 
it transfered? Any risk of transmission errors? Did you use MD5 or 
something like that to verify the integrity of the dump?


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Altheide, Cory B.: "RE: Linux, dd, and image file"
Previous message: Ralf Spenneberg: "Re: [sleuthkit-users] Sleuth Kit 1.61 and Autopsy 1.71 Release"
In reply to: Parth Galen: "Problem with mounted vfat image"
Next in thread: Paul Bakker: "Re: Problem with mounted vfat image"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 08 2003 - 16:14:28 PDT