±Your Account
Membership:
New Today: 2
New Yesterday: 2
Overall: 24170
Visitors: 27±Latest Webinar
±Latest Articles
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Mount split dd image on linux
Mount split dd image on linux
Posted: Wed Mar 31, 2010 5:58 pm
Hi all,
almost every imaging tool nowadays splits the acquired images by default in chunks of 2/4 GB. Hard disks are increasingly growing and it often happens to deal with 500 GB -> 1 TB raw images, even bigger sometimes.
In windows there are plenty of tools - some of them free of charge - which can mount the split image and let users browse through the files or even map its filesystems to drive letters (Paraben P2 Explorer, FTK Imager, ImDisk, Pro Discover Basic and others).
In linux, tools such as TSK with Autopsy/PTK or PyFLAG can cope with split images for tasks like file analysis, string search, carving, file retrieval, etc... but when it comes to mounting such images the answer is always the same: first "cat image* > bigimage.dd" and then mount the single partitions contained in bigimage.dd.
The "cat image*" part might mean concatenating hundreds or even thousands of chunks - which might take hours and twice the space as the original split image - only to be able to mount the image. I'd like to comfortably browse/search/copy files without being forced to browse the FS through web interfaces such as Autopsy/PyFLAG/PTK. Furthermore, processes such as Super Timeline creation, registry/event/prefetch analysis, browser history tracking, etc... require the FS to be mounted to extract the target files.
The final question is - you might have guessed - is there a way to mount split dd raw images under Linux without being forced to join the parts in a single big image? My first thought go to a kind of loop device which can map the multiple chunks to a single file, a kind of abstraction/mapping layer in other words.
Thanks for your help,
Paolo
almost every imaging tool nowadays splits the acquired images by default in chunks of 2/4 GB. Hard disks are increasingly growing and it often happens to deal with 500 GB -> 1 TB raw images, even bigger sometimes.
In windows there are plenty of tools - some of them free of charge - which can mount the split image and let users browse through the files or even map its filesystems to drive letters (Paraben P2 Explorer, FTK Imager, ImDisk, Pro Discover Basic and others).
In linux, tools such as TSK with Autopsy/PTK or PyFLAG can cope with split images for tasks like file analysis, string search, carving, file retrieval, etc... but when it comes to mounting such images the answer is always the same: first "cat image* > bigimage.dd" and then mount the single partitions contained in bigimage.dd.
The "cat image*" part might mean concatenating hundreds or even thousands of chunks - which might take hours and twice the space as the original split image - only to be able to mount the image. I'd like to comfortably browse/search/copy files without being forced to browse the FS through web interfaces such as Autopsy/PyFLAG/PTK. Furthermore, processes such as Super Timeline creation, registry/event/prefetch analysis, browser history tracking, etc... require the FS to be mounted to extract the target files.
The final question is - you might have guessed - is there a way to mount split dd raw images under Linux without being forced to join the parts in a single big image? My first thought go to a kind of loop device which can map the multiple chunks to a single file, a kind of abstraction/mapping layer in other words.
Thanks for your help,
Paolo
-
pakim - Member
Re: Mount split dd image on linux
Posted: Mon Apr 05, 2010 7:41 am
Hi Paolo,
Sure, SMART for Linux by ASR Data!
Cheers!
farmerdude
www.onlineforensictraining.com
www.forensicbootcd.com
Sure, SMART for Linux by ASR Data!
Cheers!
farmerdude
www.onlineforensictraining.com
www.forensicbootcd.com
-
farmerdude - Senior Member
Re: Mount split dd image on linux
Posted: Mon Apr 05, 2010 8:32 am
The most recent issue of the ITB showcases a tool called "poorcase" that does exactly that!
intotheboxes.wordpress...issue-0x1/
intotheboxes.wordpress...issue-0x1/
-
keydet89 - Senior Member
Re: Mount split dd image on linux
Posted: Wed Apr 07, 2010 3:23 pm
Thanks Farmerdude
when possibile I tend to privilege OS/free software but I will give SMART a try.
Thanks Harlan,
poorcase seems a good project, I'll follow the course of its development and possibly contribute.
Googling around I read about using mdadm to mount the split image as if it was a raid0 striped disks array, then read about creating a vmdk file out of the raw chunks and mounting it, I eventually ran into afflib, which sounded interesting. From the afflib.org FAQs:
Humm... splitraw... maybe it makes a bit of sense (to me, at least) to use affuse to mount a raw image instead of AFF images (with all due respect to AFF images!).
Take a big disk imaged in, say, 80 chunks with tools like FTK Imager or dc3dd or many others, stored on a file system with limits on file sizes (e.g. FAT): mysplitrawimage.001, mysplitrawimage.001, ..., mysplitrawimage.080
# affuse mysplitrawimage.001 /mnt/fuse
# ls /mnt/fuse
mysplitrawimage.001.raw
(the size of mysplitrawimage.001.raw is the same as the whole imaged disk, not the first chunk though the name may be misleading)
mount -o ro,loop,offset=32256,show_sys_files /mnt/fuse/mysplitrawimage.001.raw /mnt/mymountedimage
In /mnt/mymountedimage there is the first partition of the raw image mounted and browsable. The same goes for the remaining partitions.
So it worked, I could mount the image and work seamlessly with files. No more need to join chunks on a ext/ntfs fs by cat-ting splitimage.0* > bigimage.raw. What do you think about this solution? Am I overlooking the reason(s) why I should buy a software to accomplish this task or use a script which turn files into block devices, used by device mapper, to reconstruct the disk from split disk images?
Thanks
Paolo
when possibile I tend to privilege OS/free software but I will give SMART a try.
Thanks Harlan,
poorcase seems a good project, I'll follow the course of its development and possibly contribute.
Googling around I read about using mdadm to mount the split image as if it was a raid0 striped disks array, then read about creating a vmdk file out of the raw chunks and mounting it, I eventually ran into afflib, which sounded interesting. From the afflib.org FAQs:
What disk image formats does affuse support?
The same disk image formats as AFFLIB: raw, splitraw, AFF, AFD, AFM, EnCase, and VMDK (currently). Of course, it doesn’t make a whole lot of sense to use affuse to mount a raw image, since that would just turn a raw image into a raw image. Why would you want to do that?
Humm... splitraw... maybe it makes a bit of sense (to me, at least) to use affuse to mount a raw image instead of AFF images (with all due respect to AFF images!).
Take a big disk imaged in, say, 80 chunks with tools like FTK Imager or dc3dd or many others, stored on a file system with limits on file sizes (e.g. FAT): mysplitrawimage.001, mysplitrawimage.001, ..., mysplitrawimage.080
# affuse mysplitrawimage.001 /mnt/fuse
# ls /mnt/fuse
mysplitrawimage.001.raw
(the size of mysplitrawimage.001.raw is the same as the whole imaged disk, not the first chunk though the name may be misleading)
mount -o ro,loop,offset=32256,show_sys_files /mnt/fuse/mysplitrawimage.001.raw /mnt/mymountedimage
In /mnt/mymountedimage there is the first partition of the raw image mounted and browsable. The same goes for the remaining partitions.
So it worked, I could mount the image and work seamlessly with files. No more need to join chunks on a ext/ntfs fs by cat-ting splitimage.0* > bigimage.raw. What do you think about this solution? Am I overlooking the reason(s) why I should buy a software to accomplish this task or use a script which turn files into block devices, used by device mapper, to reconstruct the disk from split disk images?
Thanks
Paolo
-
pakim - Member
Re: Mount split dd image on linux
Posted: Thu Apr 08, 2010 9:22 am
Affuse is a great solution -- we've used it to provide a DD-format version of EnCase images.
-
indur - Senior Member
Re: Mount split dd image on linux
Posted: Thu Apr 08, 2010 10:06 am
Hi Paolo,
If you have a method that works for you and you're happy with it stick with it! I think SMART (and possibly others) may ease the pain, if you will, by "simply" providing a point-and-click interface that some folks may prefer over command line work. There may also be bells and whistles with the commercial apps ... logging, file system meta data, processing, ETC., that all happen during the image import phase.
Cheers!
farmerdude
www.onlineforensictraining.com
www.forensicbootcd.com
If you have a method that works for you and you're happy with it stick with it! I think SMART (and possibly others) may ease the pain, if you will, by "simply" providing a point-and-click interface that some folks may prefer over command line work. There may also be bells and whistles with the commercial apps ... logging, file system meta data, processing, ETC., that all happen during the image import phase.
Cheers!
farmerdude
www.onlineforensictraining.com
www.forensicbootcd.com
-
farmerdude - Senior Member
Re: Mount split dd image on linux
Posted: Sun Aug 15, 2010 2:34 am
Just for the archives, afflib solution also works on Macos
but you need to install it with fuse/macfuse which is not supported by devs (need to comment a line in configure.ac + autoconf)
but you need to install it with fuse/macfuse which is not supported by devs (need to comment a line in configure.ac + autoconf)
Code:
$ mkdir /Volumes/fuse
$ affuse SCHARDT.001 /Volumes/fuse
$ file /Volumes/fuse/SCHARDT.001.raw
/Volumes/fuse/SCHARDT.001.raw: x86 boot sector, Microsoft Windows XP MBR, Serial 0xec5dec5d; partition 1: ID=0x7, active, starthead 1, startsector 63, 9510417 sectors, code offset 0xc0
$ hdiutil mount /Volumes/fuse/SCHARDT.001.raw
hdiutil: mount failed - not recognized
$ hdid /Volumes/fuse/SCHARDT.001.raw
hdiutil: mount failed - not recognized
$ fdisk /Volumes/fuse/SCHARDT.001.raw
Disk: /Volumes/fuse/SCHARDT.001.raw geometry: 592/255/63 [9514496 sectors]
Signature: 0xAA55
Starting Ending
#: id cyl hd sec - cyl hd sec [ start - size]
------------------------------------------------------------------------
*1: 07 0 1 1 - 591 254 63 [ 63 - 9510417] HPFS/QNX/AUX
2: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
3: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
4: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
$ disklabel /Volumes/fuse/SCHARDT.001.raw
disklabel: /Volumes/fuse/SCHARDT.001.raw must be a disk device
$ cp /Volumes/fuse/SCHARDT.001.raw /Volumes/Data/SCHARDT.dmg
cp: /Volumes/fuse/SCHARDT.001.raw: Operation not permitted
$ ls -l /Volumes/fuse/SCHARDT.001.raw /Volumes/Data/SCHARDT.dmg
-r-------- 1 user staff 4870635520 15 aoû 10:25 /Volumes/Data/SCHARDT.dmg
-r--r--r-- 1 root wheel 4871421952 1 jan 1970 /Volumes/fuse/SCHARDT.001.raw
$ hdiutil attach /Volumes/Data/SCHARDT.dmg
/dev/disk2 FDisk_partition_scheme
/dev/disk2s1 Windows_NTFS /Volumes/Untitled
## umount
$ ln -s /Volumes/fuse/SCHARDT.001.raw /Volumes/Data/test.dmg
$ hdiutil attach /Volumes/Data/test.dmg
/dev/disk2 FDisk_partition_scheme
/dev/disk2s1 Windows_NTFS /Volumes/Untitled
-
juju22 - Newbie