RE: unable to mount fs for forensics

Thanks for all the replies, none of them seemed to work for me though!

Anyway I got it working using the below commands. BUT my question to the forensics guru's is will using the losetup and mke2fs effect the integrity of the dd image, I notice the inodes table gets updated... Is this a problem? I notice when I do a df -h from the source and destination (once mounted) I get different values?

[root@fanta /root]# losetup /dev/loop0 hda5.bs1024.dd [root@fanta /root]# mke2fs /dev/loop0 1024 mke2fs 1.18, 11-Nov-1999 for EXT2 FS 0.5b, 95/08/09 Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
128 inodes, 1024 blocks
51 blocks (4.98%) reserved for the super user First data block=1
1 block group
8192 blocks per group, 8192 fragments per group 128 inodes per group

Writing inode tables: done Writing superblocks and filesystem accounting information: done [root@fanta /root]# mount -o ro /dev/loop0 /mnt/boot/ [root@fanta /root]# mount
/dev/hda5 on / type ext2 (rw)
none on /proc type proc (rw)
/dev/hda1 on /boot type ext2 (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620) /dev/loop0 on /mnt/boot type ext2 (ro)
[root@fanta /root]#

-----Original Message-----
From: Eugen Cocalea [mailto:eugen@isratech.ro] Sent: Monday, December 30, 2002 6:16 PM
To: Susan Chan Lee
Cc: forensics@securityfocus.com
Subject: Re: unable to mount fs for forensics

Hi,

I tried the same process as you did. I got first a failure and then, moving to a different machine and repeating the process, success.

first machine (failure)

- RedHat Linux 7.1
- kernel 2.4.5 (pretty fancy optioned)
- fileutils 4.0.36
- mount-2.11b

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

second machine (success)

- RedHat Linux 7.2
- kernel 2.4.8
- fileutils 4.1
- mount-2.11g

trying

mount -o loop image.dd /mountpoint -vv

I get:

mount: going to use the loop device /dev/loop3 set_loop(/dev/loop3,ttt/image2.dd,0): success mount: setup loop device successfully
EXT2-fs: loop(7,3): couldn't mount because of unsupported optional features (4).del_loop(/dev/loop3): success mount: wrong fs type, bad option, bad superblock on /dev/loop3,

       or too many mounted file systems

so loop is no problem, i suppose that either defaults option of mount are a problem or dd.

-- 
Eugen Cocalea				||	eugen@isratech.ro
ex - Network Administrator @ isratech.ro||	Phone: +40 232 219992
						Cell: +40 723 605070

On Dec 27, 2002, 1:59pm, Susan Chan Lee wrote:

|SCL|Hi All


|SCL|tracking system please see: http://aris.securityfocus.com






-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com