Disk Images: Difference between revisions
(16 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
__TOC__ | |||
= Overview = | = Overview = | ||
When trying to do forensics or recovery on a disk, it is often desirable to make a copy of the entire disk to a single file (a "disk image"). | When trying to do forensics or recovery on a disk, it is often desirable to make a copy of the entire disk to a single file (a "disk image"). | ||
= | = How Do I Create A Disk Image? = | ||
Making a copy of a disk is a relatively simple process as long as you have enough free space on another disk to copy the disk image to. | Making a copy of a disk is a relatively simple process as long as you have enough free space on another disk to copy the disk image to. | ||
Line 47: | Line 48: | ||
Now that we have a copy of the contents of the physical contents of ''/dev/sdb'' we will no longer need to directly access ''/dev/sdb''. | Now that we have a copy of the contents of the physical contents of ''/dev/sdb'' we will no longer need to directly access ''/dev/sdb''. | ||
= How Do I List The Partitions In A Disk Image = | |||
You can print the partition table of a "disk image" (a file containing the raw contents of a disk), using the '''[http://en.wikipedia.org/wiki/Fdisk fdisk]''' command as shown below: | |||
You can print the partition table of a "disk image" (a file containing the raw contents of a disk), using the '''fdisk''' command as shown below: | |||
[root@cayenne-e ~]# fdisk -l /tmp/disk.img | [root@cayenne-e ~]# fdisk -l /tmp/disk.img | ||
Line 64: | Line 64: | ||
/tmp/disk.img1 1 5 40131 b W95 FAT32 | /tmp/disk.img1 1 5 40131 b W95 FAT32 | ||
/tmp/disk.img2 6 7 16065 83 Linux | /tmp/disk.img2 6 7 16065 83 Linux | ||
[root@cayenne-e ~]# | [root@cayenne-e ~]# | ||
You can also use the '''[http://man-wiki.net/index.php/8:sfdisk sfdisk]''' command as shown below (the '''sfdisk''' command shows the size of each block): | |||
[root@cayenne-e ~]# sfdisk -l /tmp/disk.img | |||
Disk /tmp/disk.img: cannot get geometry | |||
Disk /tmp/disk.img: 7 cylinders, 255 heads, 63 sectors/track | |||
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 | |||
Device Boot Start End #cyls #blocks Id System | |||
/tmp/disk.img1 0+ 4 5- 40131 b W95 FAT32 | |||
/tmp/disk.img2 5 6 2 16065 83 Linux | |||
/tmp/disk.img3 0 - 0 0 0 Empty | |||
/tmp/disk.img4 0 - 0 0 0 Empty | |||
[root@cayenne-e ~]# | |||
= | = How Do I Mount A Partition From A Disk Image? = | ||
Mounting a partition within a disk image is a bit trickier. In order to mount a partition from within a disk image, you must compute the offset to the start of the partition. To compute the offset, you need the following values from the output of '' | Mounting a partition within a disk image is a bit trickier. In order to mount a partition from within a disk image, you must compute the offset to the start of the partition. To compute the offset, you need the following values from the output of ''sfdisk -l IMAGE_FILE'': | ||
* T - The sectors/track value | * T - The sectors/track value | ||
* B - The block size | * B - The block size | ||
* 512 - The constant 512 | * 512 - The constant 512 | ||
* S - The starting block | * S - The starting block of the partition | ||
The offset to the partition is then computed as follows: | The offset to the partition is then computed as follows: | ||
Line 88: | Line 102: | ||
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 | Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 | ||
Device Boot Start End #cyls #blocks Id System | Device Boot Start End #cyls #blocks Id System | ||
/tmp/disk.img1 0+ 4 5- 40131 b W95 FAT32 | /tmp/disk.img1 0+ 4 5- 40131 b W95 FAT32 | ||
/tmp/disk.img2 5 6 2 16065 83 Linux | /tmp/disk.img2 5 6 2 16065 83 Linux | ||
Line 95: | Line 109: | ||
[root@cayenne-e ~]# | [root@cayenne-e ~]# | ||
In the output above, if we wanted to mount the second partition (''Linux'') shown in the partition table, we would set T=63, B=1024, and S=40131 (the 40131 is the sum of the '' | In the output above, if we wanted to mount the second partition (''Linux'') shown in the partition table, we would set T=63, B=1024, and S=40131 (the 40131 is the sum of the ''#blocks'' column for all of the partitions that come before the ''Linux'' partition we are trying to mount) and compute the offset as follows: | ||
(S * B) + (T * 512) = (40131 * 1024) + (63 * 512) | (S * B) + (T * 512) = (40131 * 1024) + (63 * 512) | ||
Line 119: | Line 133: | ||
[root@cayenne-e ~]# | [root@cayenne-e ~]# | ||
Finally, after we are done using the disk image, we'll use the '''umount''' command to release it: | Finally, after we are done using the disk image, we'll use the '''[http://wiki.linuxquestions.org/wiki/Umount umount]''' command to release it: | ||
[root@cayenne-e ~]# umount /mnt/img | [root@cayenne-e ~]# umount /mnt/img | ||
[root@cayenne-e ~]# | [root@cayenne-e ~]# | ||
If you have access to the '''[http://en.wikipedia.org/wiki/GNU_Parted parted]''' utility, you can use it to print out the offsets for each partition within your disk image (no computation required). For example, the following uses '''parted''', and sets the output units to bytes to determine that the offset to the second partition is ''41126400'' within our sample disk image: | |||
[root@cayenne-e ~]# printf "unit B\nprint\nquit\n" | parted /tmp/disk.img | |||
GNU Parted 1.9.0 | |||
Using /tmp/disk.img | |||
Welcome to GNU Parted! Type 'help' to view a list of commands. | |||
(parted) unit B | |||
(parted) print | |||
Model: (file) | |||
Disk /tmp/disk.img: 62390272B | |||
Sector size (logical/physical): 512B/512B | |||
Partition Table: msdos | |||
Number Start End Size Type File system Flags | |||
1 32256B 41126399B 41094144B primary fat32 | |||
2 41126400B 57576959B 16450560B primary ext2 | |||
(parted) quit | |||
[1]+ Terminated printf "unit B\nprint" | parted /tmp/disk.img | |||
[root@cayenne-e ~]# mount -o loop,offset=41126400 /tmp/disk.img /mnt/img | |||
[root@cayenne-e ~]# ls /mnt/img | |||
hello.txt lost+found messages | |||
[root@cayenne-e ~]# umount /mnt/img | |||
[root@cayenne-e ~]# | |||
= How Do I Mount A Partition From A Disk Image Using: losetup? = | |||
This section uses the '''[https://en.wikipedia.org/wiki/Loop_device losetup]''' command to help with mounting a partition within a disk image. | |||
Example: ISO disk image: "'''nst-minimal-32.x86_64.iso'''" | |||
List Partitions (fdisk): | |||
[root@vortex livecd]# fdisk -l ./nst-minimal-32.x86_64.iso; | |||
Disk ./nst-minimal-32.x86_64.iso: 1.17 GiB, 1247232000 bytes, 2436000 sectors | |||
Units: sectors of 1 * 512 = 512 bytes | |||
Sector size (logical/physical): 512 bytes / 512 bytes | |||
I/O size (minimum/optimal): 512 bytes / 512 bytes | |||
Disklabel type: dos | |||
Disk identifier: 0x1877db0d | |||
Device Boot Start End Sectors Size Id Type | |||
./nst-minimal-32.x86_64.iso1 * 0 2435999 2436000 1.2G 0 Empty | |||
./nst-minimal-32.x86_64.iso2 180 16567 16388 8M ef EFI (FAT-12/16/32) | |||
./nst-minimal-32.x86_64.iso3 16644 54355 37712 18.4M ef EFI (FAT-12/16/32) | |||
Create Loop Partitions (losetup): | |||
[root@vortex livecd]# losetup -P -f ./nst-minimal-32.x86_64.iso; | |||
[root@vortex livecd]# | |||
[root@vortex livecd]# losetup -l; | |||
NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE DIO LOG-SEC | |||
/dev/loop0 0 0 0 0 /home/nst/dev32/livecd/nst-minimal-32.x86_64.iso 0 512 | |||
[root@vortex livecd]# | |||
[root@vortex livecd]# fdisk -l /dev/loop0; | |||
Disk /dev/loop0: 1.17 GiB, 1247232000 bytes, 2436000 sectors | |||
Units: sectors of 1 * 512 = 512 bytes | |||
Sector size (logical/physical): 512 bytes / 512 bytes | |||
I/O size (minimum/optimal): 512 bytes / 512 bytes | |||
Disklabel type: dos | |||
Disk identifier: 0x1877db0d | |||
Device Boot Start End Sectors Size Id Type | |||
/dev/loop0p1 * 0 2435999 2436000 1.2G 0 Empty | |||
/dev/loop0p2 180 16567 16388 8M ef EFI (FAT-12/16/32) | |||
/dev/loop0p3 16644 54355 37712 18.4M ef EFI (FAT-12/16/32) | |||
Mount A Loop Partition (mount): | |||
[root@vortex livecd]# mount -v /dev/loop0p3 /mnt/vfat; | |||
mount: /dev/loop0p3 mounted on /mnt/vfat. | |||
[root@vortex livecd]# df -h; | |||
Filesystem Size Used Avail Use% Mounted on | |||
devtmpfs 5.9G 0 5.9G 0% /dev | |||
tmpfs 5.9G 0 5.9G 0% /dev/shm | |||
tmpfs 5.9G 1.5M 5.9G 1% /run | |||
/dev/mapper/vortex32-root 105G 26G 80G 25% / | |||
tmpfs 5.9G 0 5.9G 0% /tmp | |||
/dev/sda1 976M 222M 687M 25% /boot | |||
/dev/mapper/vortex30-root 53G 36G 18G 67% /NST30 | |||
tmpfs 1.2G 4.0K 1.2G 1% /run/user/1000 | |||
/dev/loop0p3 19M 12M 7.2M 62% /mnt/vfat | |||
Unmount and Release loop device: | |||
[root@vortex livecd]# umount /mnt/vfat; | |||
[root@vortex livecd]# losetup -d /dev/loop0; |
Latest revision as of 09:15, 18 May 2020
Overview
When trying to do forensics or recovery on a disk, it is often desirable to make a copy of the entire disk to a single file (a "disk image").
How Do I Create A Disk Image?
Making a copy of a disk is a relatively simple process as long as you have enough free space on another disk to copy the disk image to.
- Identify the device entry for the disk (something like: /dev/sda).
- Copy the device entry to a file on a different disk.
You can use the fdisk -l command to help identify the disk device entries. For example:
[root@cayenne-e ~]# fdisk -l Disk /dev/sda: 250.1 GB, 250059350016 bytes 255 heads, 63 sectors/track, 30401 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x8da2c67c Device Boot Start End Blocks Id System /dev/sda1 1 13055 104857600 7 HPFS/NTFS /dev/sda2 29094 30400 10485760 1b Hidden W95 FAT32 /dev/sda3 30400 30401 16064+ ef EFI (FAT-12/16/32) /dev/sda4 13056 29093 128825235 5 Extended /dev/sda5 * 13056 13081 204800 83 Linux /dev/sda6 13081 18180 40959999+ 83 Linux /dev/sda7 18181 18310 1044193+ 83 Linux Partition table entries are not in disk order Disk /dev/sdb: 62 MB, 62390272 bytes 255 heads, 63 sectors/track, 7 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x0003bc6e Device Boot Start End Blocks Id System /dev/sdb1 1 5 40131 b W95 FAT32 /dev/sdb2 6 7 16065 83 Linux [root@cayenne-e ~]#
The above output indicates that there are two disks on the system /dev/sda (250GB) and /dev/sdb (62MB). The following command will copy the contents of the 62MB disk (/dev/sdb) to the file: /tmp/disk.img:
[root@cayenne-e ~]# cp /dev/sdb /tmp/disk.img [root@cayenne-e ~]#
Now that we have a copy of the contents of the physical contents of /dev/sdb we will no longer need to directly access /dev/sdb.
How Do I List The Partitions In A Disk Image
You can print the partition table of a "disk image" (a file containing the raw contents of a disk), using the fdisk command as shown below:
[root@cayenne-e ~]# fdisk -l /tmp/disk.img You must set cylinders. You can do this from the extra functions menu. Disk /tmp/disk.img: 0 MB, 0 bytes 255 heads, 63 sectors/track, 0 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x0003bc6e Device Boot Start End Blocks Id System /tmp/disk.img1 1 5 40131 b W95 FAT32 /tmp/disk.img2 6 7 16065 83 Linux [root@cayenne-e ~]#
You can also use the sfdisk command as shown below (the sfdisk command shows the size of each block):
[root@cayenne-e ~]# sfdisk -l /tmp/disk.img Disk /tmp/disk.img: cannot get geometry Disk /tmp/disk.img: 7 cylinders, 255 heads, 63 sectors/track Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /tmp/disk.img1 0+ 4 5- 40131 b W95 FAT32 /tmp/disk.img2 5 6 2 16065 83 Linux /tmp/disk.img3 0 - 0 0 0 Empty /tmp/disk.img4 0 - 0 0 0 Empty [root@cayenne-e ~]#
How Do I Mount A Partition From A Disk Image?
Mounting a partition within a disk image is a bit trickier. In order to mount a partition from within a disk image, you must compute the offset to the start of the partition. To compute the offset, you need the following values from the output of sfdisk -l IMAGE_FILE:
- T - The sectors/track value
- B - The block size
- 512 - The constant 512
- S - The starting block of the partition
The offset to the partition is then computed as follows:
(S * B) + (T * 512)
For example, take a look at the partition table within the disk image /tmp/disk.img:
[root@cayenne-e ~]# sfdisk -l /tmp/disk.img Disk /tmp/disk.img: cannot get geometry Disk /tmp/disk.img: 7 cylinders, 255 heads, 63 sectors/track Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /tmp/disk.img1 0+ 4 5- 40131 b W95 FAT32 /tmp/disk.img2 5 6 2 16065 83 Linux /tmp/disk.img3 0 - 0 0 0 Empty /tmp/disk.img4 0 - 0 0 0 Empty [root@cayenne-e ~]#
In the output above, if we wanted to mount the second partition (Linux) shown in the partition table, we would set T=63, B=1024, and S=40131 (the 40131 is the sum of the #blocks column for all of the partitions that come before the Linux partition we are trying to mount) and compute the offset as follows:
(S * B) + (T * 512) = (40131 * 1024) + (63 * 512)
So, to mount the second partition using, we would use the following command sequence:
[root@cayenne-e ~]# mkdir /mnt/img [root@cayenne-e ~]# OFFSET=$(( (40131 * 1024) + (63 * 512) )) [root@cayenne-e ~]# echo $OFFSET 41126400 [root@cayenne-e ~]# mount -o loop,offset=${OFFSET} /tmp/disk.img /mnt/img [root@cayenne-e ~]# ls -l /mnt/img total 4705 drwx------ 2 root root 12288 2010-03-01 12:29 lost+found -rw------- 1 root root 4784530 2010-03-01 12:40 messages [root@cayenne-e ~]#
At this point, we can now read and write to the Linux partition on the disk image as if it were the original drive:
[root@cayenne-e ~]# echo "Hello World" >| /mnt/img/hello.txt [root@cayenne-e ~]# cat /mnt/img/hello.txt Hello World [root@cayenne-e ~]#
Finally, after we are done using the disk image, we'll use the umount command to release it:
[root@cayenne-e ~]# umount /mnt/img [root@cayenne-e ~]#
If you have access to the parted utility, you can use it to print out the offsets for each partition within your disk image (no computation required). For example, the following uses parted, and sets the output units to bytes to determine that the offset to the second partition is 41126400 within our sample disk image:
[root@cayenne-e ~]# printf "unit B\nprint\nquit\n" | parted /tmp/disk.img GNU Parted 1.9.0 Using /tmp/disk.img Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) unit B (parted) print Model: (file) Disk /tmp/disk.img: 62390272B Sector size (logical/physical): 512B/512B Partition Table: msdos Number Start End Size Type File system Flags 1 32256B 41126399B 41094144B primary fat32 2 41126400B 57576959B 16450560B primary ext2 (parted) quit [1]+ Terminated printf "unit B\nprint" | parted /tmp/disk.img [root@cayenne-e ~]# mount -o loop,offset=41126400 /tmp/disk.img /mnt/img [root@cayenne-e ~]# ls /mnt/img hello.txt lost+found messages [root@cayenne-e ~]# umount /mnt/img [root@cayenne-e ~]#
How Do I Mount A Partition From A Disk Image Using: losetup?
This section uses the losetup command to help with mounting a partition within a disk image.
Example: ISO disk image: "nst-minimal-32.x86_64.iso"
List Partitions (fdisk):
[root@vortex livecd]# fdisk -l ./nst-minimal-32.x86_64.iso; Disk ./nst-minimal-32.x86_64.iso: 1.17 GiB, 1247232000 bytes, 2436000 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x1877db0d Device Boot Start End Sectors Size Id Type ./nst-minimal-32.x86_64.iso1 * 0 2435999 2436000 1.2G 0 Empty ./nst-minimal-32.x86_64.iso2 180 16567 16388 8M ef EFI (FAT-12/16/32) ./nst-minimal-32.x86_64.iso3 16644 54355 37712 18.4M ef EFI (FAT-12/16/32)
Create Loop Partitions (losetup):
[root@vortex livecd]# losetup -P -f ./nst-minimal-32.x86_64.iso; [root@vortex livecd]# [root@vortex livecd]# losetup -l; NAME SIZELIMIT OFFSET AUTOCLEAR RO BACK-FILE DIO LOG-SEC /dev/loop0 0 0 0 0 /home/nst/dev32/livecd/nst-minimal-32.x86_64.iso 0 512 [root@vortex livecd]# [root@vortex livecd]# fdisk -l /dev/loop0; Disk /dev/loop0: 1.17 GiB, 1247232000 bytes, 2436000 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x1877db0d Device Boot Start End Sectors Size Id Type /dev/loop0p1 * 0 2435999 2436000 1.2G 0 Empty /dev/loop0p2 180 16567 16388 8M ef EFI (FAT-12/16/32) /dev/loop0p3 16644 54355 37712 18.4M ef EFI (FAT-12/16/32)
Mount A Loop Partition (mount):
[root@vortex livecd]# mount -v /dev/loop0p3 /mnt/vfat; mount: /dev/loop0p3 mounted on /mnt/vfat. [root@vortex livecd]# df -h; Filesystem Size Used Avail Use% Mounted on devtmpfs 5.9G 0 5.9G 0% /dev tmpfs 5.9G 0 5.9G 0% /dev/shm tmpfs 5.9G 1.5M 5.9G 1% /run /dev/mapper/vortex32-root 105G 26G 80G 25% / tmpfs 5.9G 0 5.9G 0% /tmp /dev/sda1 976M 222M 687M 25% /boot /dev/mapper/vortex30-root 53G 36G 18G 67% /NST30 tmpfs 1.2G 4.0K 1.2G 1% /run/user/1000 /dev/loop0p3 19M 12M 7.2M 62% /mnt/vfat
Unmount and Release loop device:
[root@vortex livecd]# umount /mnt/vfat; [root@vortex livecd]# losetup -d /dev/loop0;