Re: unable to mount fs for forensics

Susan Chan Lee wrote:
> Thanks for all the replies, none of them seemed to work for me though!
....
> [root@fanta /root]# losetup /dev/loop0 hda5.bs1024.dd
.....
  > [root@fanta /root]# mount -o ro /dev/loop0 /mnt/boot/

It seems to me that you just formatted the disk image. If you look in /mnt/boot, I expect that all you'll see is the (newly created) lost+found directory.
I hope you were using a spare copy of the file to do this.

Have you tried

    file hda5.bs1024.dd
??
It should identify what the image you have is.

   It may be a compressed partition. I'd also peel off a couple of blocks of the file (256 bytes at a time) and see if you have a recognizable file type...

     dd if=somefile of=somefile2 bs=256 skip=1 count=10000 That'll peel off a maximum of 2MB of the image, skipping the first 256 bytes. more than enough for 'file' to do it's work. (and enough for 'mount' to recognize (and possibly choke on) the nub of a filesystem.

Note that losetup allows a user to mount at an offset (with 1 byte granularity) and/or use an encrypted file.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

BTW: To verify the integrity of the HD image, I'd do an md5sum of the image file and keep the results somewhere safe (so that you can always verify it) Even better yet, use pgp or gpg to create a signed digest of the file. That's much more likely to keep a court happy. You'd be best off if you can get an independent 3rd party to sign your signed digest.

> [root@fanta /root]# mount -o ro /dev/loop0 /mnt/boot/

> trying

Try getting a recent version of Linux (I'm using Redhat 8.0). More recent versions tend to be able to handle more FS types better.

You don't need a fast machine to do this. Get yourself an old P2/200, put a disk on it and load Redhat You might want to try BSD as well. It doesn't look like Linux is very good at reading BSD images..

-- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   
http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com