Disk Images
Overview
When trying to do forensics or recovery on a disk, it is often desirable to make a copy of the entire disk to a single file (a "disk image").
Making A Copy Of A Disk
Making a copy of a disk is a relatively simple process as long as you have enough free space on another disk to copy the disk image to.
- Identify the device entry for the disk (something like: /dev/sda).
- Copy the device entry to a file on a different disk.
You can use the fdisk -l command to help identify the disk device entries. For example:
[root@cayenne-e ~]# fdisk -l Disk /dev/sda: 250.1 GB, 250059350016 bytes 255 heads, 63 sectors/track, 30401 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x8da2c67c Device Boot Start End Blocks Id System /dev/sda1 1 13055 104857600 7 HPFS/NTFS /dev/sda2 29094 30400 10485760 1b Hidden W95 FAT32 /dev/sda3 30400 30401 16064+ ef EFI (FAT-12/16/32) /dev/sda4 13056 29093 128825235 5 Extended /dev/sda5 * 13056 13081 204800 83 Linux /dev/sda6 13081 18180 40959999+ 83 Linux /dev/sda7 18181 18310 1044193+ 83 Linux Partition table entries are not in disk order Disk /dev/sdb: 62 MB, 62390272 bytes 255 heads, 63 sectors/track, 7 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x0003bc6e Device Boot Start End Blocks Id System /dev/sdb1 1 5 40131 b W95 FAT32 /dev/sdb2 6 7 16065 83 Linux [root@cayenne-e ~]#
The above output indicates that there are two disks on the system /dev/sda (250GB) and /dev/sdb (62MB). The following command will copy the contents of the 62MB disk (/dev/sdb) to the file: /tmp/disk.img:
[root@cayenne-e ~]# cp /dev/sdb /tmp/disk.img [root@cayenne-e ~]#
Now that we have a copy of the contents of the physical contents of /dev/sdb we will no longer need to directly access /dev/sdb.
Listing The Partitions In A Disk Image
You can print the partition table of a "disk image" (a file containing the raw contents of a disk), using the fdisk command as shown below:
[root@cayenne-e ~]# fdisk -l /tmp/disk.img
You must set cylinders.
You can do this from the extra functions menu.
Disk /tmp/disk.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0003bc6e
Device Boot Start End Blocks Id System
/tmp/disk.img1 1 5 40131 b W95 FAT32
/tmp/disk.img2 6 7 16065 83 Linux
[root@cayenne-e ~]#
Mounting A Partition From A Disk Image
Mounting a partition within a disk image is a bit trickier. In order to mount a partition from within a disk image, you must compute the offset to the start of the partition. To compute the offset, you need the following values from the output of fdisk -l IMAGE_FILE:
- T - The sectors/track value
- U - The size of each unit
- 512 - The constant 512 (or is this the multiplier shown in the units computation by fdisk?)
- S - The starting unit (from the Start column)
The offset to the partition is then computed as follows:
((S - 1) * U) + (T * 512)
For example, take a look at the partition table within the disk image /tmp/disk.img:
[root@cayenne-e ~]# fdisk -l /tmp/disk.img
You must set cylinders.
You can do this from the extra functions menu.
Disk /tmp/disk.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0003bc6e
Device Boot Start End Blocks Id System
/tmp/disk.img1 1 5 40131 b W95 FAT32
/tmp/disk.img2 6 7 16065 83 Linux
[root@cayenne-e ~]#
In the output above, if we wanted to mount the second partition (Linux) shown in the partition table, we would set T=63, U=8225280, and S=6 and compute the offset as follows:
((6 - 1) * 8225280) + (63 * 512)
So, to mount the second partition using, we would us the following command sequence:
