RE: Linux, dd, and image file

From: <jcreyes(at)007mundo.com>
Date: Wed Apr 02 2003 - 10:14:10 EST

Hi.

Maybe the easiest way for image that disc is using dd for each partition, if possible (you must be able to watch thru al fdisk the partitions), and issue an 'dd if=/dev/hdcN of=testingN.bin'.

If you use a software like @Stake's autopsy forensic browser, you can simply take the image of each partition (read only) and point it without have to mount it. It will work fine, but you mus be aware that you are extracting data directly from the image... so take care of the md5sum, three copies, etc, etc.. ;)

Of course mounting the image on the loopback device with an offset is the solution for imaging the entire disk :)

Regards,

Juan Carlos Reyes M
Security Consultant
Digiware de Colombia
Bogotá

Phone: 57 1 6232474  

-----Original Message-----

From:	"Luis Gomez" 
Sent:	Tuesday, April 01, 2003 10:30 PM
To:	"Sabol, Paul" 
Cc:	"forensics@securityfocus.com" 

Subject: Re: Linux, dd, and image file

It's perfectly possible, but you forgot an important point: you imaged a DRIVE, and want to mount a PARTITION. IIRC, there are 63 blocks of 512 bytes between the beginning of the disk and the beginning of the partition, so how about losetup /dev/loop0 testing.bin -o 63

Maybe it's not 63 (though I think it is), but anyway this is the way to go. Later you can mount it with no problem.

Regards

        Pope

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Apr 2 10:54:30 2003