RE: Linux, dd, and image file

Birger has it exactly right. fdisk -ul with give you the offset in sectors, multiply that number by 512 and you will have the offset in bytes for each partition, just in case you have more than one ;)

Oh, and there is a 2 GB limit for offsets with losetup, ie you can not go further than 2 GB into the disk for that partition you seek. This is a kernel limitation that has yet to be fixed. If someone has a modified kernel to fix this limit, please let me know!!!

Jason Upchurch

-----Original Message-----
From: Sabol, Paul [mailto:PSABOL@mgmmirage.com] Sent: Wednesday, April 02, 2003 4:53 PM
To: forensics@securityfocus.com
Subject: RE: Linux, dd, and image file

Ah, that got it. Now that I've stepped back and looked at your comments, it
makes perfect sense. Thanks to all for the assist.

-----Original Message-----
From: Grega Bremec [mailto:gregab@gbsoft.org] Sent: Tuesday, April 01, 2003 10:20 PM
To: forensics@securityfocus.com
Subject: Re: Linux, dd, and image file

...and on Tue, Apr 01, 2003 at 08:31:10AM -0800, Sabol, Paul used the keyboard:
<snip>
> Basically, I md5 the original drive, make a working directory on my
Linux
> drive, and then 'dd if=/dev/hdc of=testing.bin
conv=notrunc,noerror,sync".
> I then make a /mnt/windows directory to be used as the mount point and
chmod
> 777 this directory.

All well and fine, but you've just created an image of the entire hard drive, my friend, which is why mount is complaining, as there clearly isn't a valid superblock, but instead a master boot record. :)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

You should check out the partition table using "fdisk -l /dev/hdc", then "dd if=/dev/hdc1 ..." if the NTFS partition is the first and/or the only one on that disk, or use the corresponding partition number.

<snip>
> I do the following:

Just a note: the following is also possible and saves you one step:

    $ mount -t ntfs -o loop ./testing.bin /mnt/windows

Cheers & good luck,

-- 
    Grega Bremec
    grega.bremec-at-gbsoft.org
    
http://najdi.si/
    
http://www.gbsoft.org/
    
http://www.noviforum.si/

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com