User Tools

Site Tools


ubuntu:mount:loopback_mount_full-disk_dd_images

Ubuntu - Mount - Loopback mount full-disk 'dd' images

Carving out partitions from within a full disk “dd” image by running it through another “dd” is highly inefficient both in terms of disk space and analyst time used.

A better method is to use a loopback mount.

Loopback mount supports an “offset” parameter that lets you mount a partition directly from within a larger full-disk image:

/media/disk-1# ls -al
 
total 39082701
drwxrwxrwx 1 root root 4096 2009-07-12 13:33 .
drwxr-xr-x 4 root root 4096 2009-08-18 19:04 ..
-rwxrwxrwx 1 root root 878 2009-07-07 11:46 fdisk
-rwxrwxrwx 1 root root 701 2009-07-07 11:47 hdparm
-rwxrwxrwx 2 root root 40020664320 2009-07-07 14:34 image-sda
-rwxrwxrwx 1 root root 43 2009-07-07 12:02 md5sum
-rwxrwxrwx 1 root root 43 2009-06-29 13:13 md5sum-sda
drwxrwxrwx 1 root root 0 2009-07-11 19:03 $RECYCLE.BIN
fdisk -ul image-sda
 
You must set cylinders.
You can do this from the extra functions menu.
Disk image-sda: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x9c879c87
Device     Boot Start End      Blocks    Id System
image-sda1 *    63    78140159 39070048+ 7  HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 254, 63) logical=(4863, 254, 63)
mount -o ro,loop,offset='''32256''' -t auto image-sda \
/media/image
 
cd ..
cd image
 
ls -1
 
AUTOEXEC.BAT
favorites
ntldr
Start Menu
blp
INFCACHE.1
pagefile.sys
System Volume Information
boot.ini
IO.SYS
Program Files
temp
CONFIG.SYS
MSDOS.SYS
RECYCLER
WINDOWS
Documents and Settings
NTDETECT.COM
spoolerlogs

The magic 32256 offset passed to “mount” is easily explained as the start of the partition you are interested in (63 in this case) multiplied by the unit size (512 in this case).

If you have more than one partition, just repeat the above steps for the other slices.


References

ubuntu/mount/loopback_mount_full-disk_dd_images.txt · Last modified: 2020/07/15 09:30 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki