Forensics: Mounting partitions from full-disk 'dd' images

Published: 2009-08-18
Last Updated: 2009-08-19 00:26:36 UTC
by Daniel Wesemann (Version: 1)
3 comment(s)

If you are, as I am, a GCFA who attended Rob Lee's famous training in the not-so-recent past, you probably still are "carving out" partitions from within an acquired full disk "dd" image by running it through another "dd". Given how quickly the disk sizes are increasing, this is highly inefficient both in terms of disk space and analyst time used.

But there's a better way. You already know how to use "loopback mount" on Linux to mount an image? Well, loopback mount supports an "offset" parameter that lets you mount a partition directly from within a larger full-disk image. Thusly:

root@ubuntu:/media/disk-1# ls -al
total 39082701
drwxrwxrwx 1 root root 4096 2009-07-12 13:33 .
drwxr-xr-x 4 root root 4096 2009-08-18 19:04 ..
-rwxrwxrwx 1 root root 878 2009-07-07 11:46 fdisk
-rwxrwxrwx 1 root root 701 2009-07-07 11:47 hdparm
-rwxrwxrwx 2 root root 40020664320 2009-07-07 14:34 image-sda
-rwxrwxrwx 1 root root 43 2009-07-07 12:02 md5sum
-rwxrwxrwx 1 root root 43 2009-06-29 13:13 md5sum-sda
drwxrwxrwx 1 root root 0 2009-07-11 19:03 $RECYCLE.BIN
root@ubuntu:/media/disk-1# fdisk -ul image-sda
You must set cylinders.
You can do this from the extra functions menu.

Disk image-sda: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x9c879c87

Device     Boot Start End      Blocks    Id System
image-sda1 *    63    78140159 39070048+ 7  HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 254, 63) logical=(4863, 254, 63)

root@ubuntu:/media/disk-1# mount -o ro,loop,offset=32256 -t auto image-sda /media/image
root@ubuntu:/media/disk-1# cd ..
root@ubuntu:/media# cd image
root@ubuntu:/media/image# ls
AUTOEXEC.BAT favorites ntldr Start Menu blp INFCACHE.1 pagefile.sys System Volume Information boot.ini IO.SYS Program Files temp

CONFIG.SYS MSDOS.SYS RECYCLER WINDOWS Documents and Settings NTDETECT.COM spoolerlogs
root@ubuntu:/media/image#


The magic "32256" offset passed to "mount" is easily explained as the start of the partition you are interested in (63 in this case) multiplied by the unit size (512 in this case).  If you have more than one partition, just repeat the above steps for the other slices.

There you go. This easily saves several hours and untold gigabytes of disk space compared to the GCFA "carving out" method.

 

Keywords: dd forensics
3 comment(s)

Comments

That is a AWESOME method!! Thank you for sharing.

In the case of what we teach in SEC508 it is more of an exercise to emphasize fundamentals of file system forensics we are aiming to teach throughout the course.

1. Physical/Logical Disks Differences: The purpose of teaching a data carve is to re-emphasize that there is a difference between a physical disk and a logical one.
2. Practice using "dd": It gives the students practice the ability to use dd to "carve" data out of an image using skip and count.
3. MBR/Partition Tables Fundamentals: It allows the emphasis of mapping back what is learned by examining the MBR and partition tables by hand to seeing that is the actual location where you perform the data carve.

Overall, there are a lot of tricks to use when performing forensics, but my aim of creating a course is to try and tie together key functions of the disks and the logical one in class. Not that one is better than the other, but it is mainly a way to teach the a very important concept in forensics.

Love it though.

Best,
Rob
rlee@sans.org
Alternatively, using kpartx to work with the kernel's device-mapper API:
% parted foo print
Model: (file)
Disk /path/to/foo: 1074MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 16.4kB 100MB 100MB primary
2 100MB 200MB 100MB primary
3 200MB 1074MB 874MB primary

% sudo kpartx -va foo
add map loop0p1 (253:8): 0 195296 linear /dev/loop0 32
add map loop0p2 (253:9): 0 195328 linear /dev/loop0 195328
add map loop0p3 (253:10): 0 1706496 linear /dev/loop0 390656
% ls -l /dev/mapper/loop0p*
brw-rw---- 1 root disk 253, 8 2009-08-19 08:31 /dev/mapper/loop0p1
brw-rw---- 1 root disk 253, 9 2009-08-19 08:31 /dev/mapper/loop0p2
brw-rw---- 1 root disk 253, 10 2009-08-19 08:31 /dev/mapper/loop0p3
% sudo kpartx -vd foo
del devmap : loop0p3
del devmap : loop0p2
del devmap : loop0p1
loop deleted : /dev/loop0
I just released a tool to automate this, you can download it from

http://www.digininja.org/projects/image_mount.php

Robin

Diary Archives