±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36134
New Yesterday: 6 Visitors: 163

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Mounting an image

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next 
  

keydet89
Senior Member
 

Re: Mounting an image

Post Posted: Apr 04, 07 00:12

Marat,

Thanks! I'm glad you shared that...that's the kind of thing the community needs more of.

H  
 
  

cosimo
Member
 

Re: Mounting an image

Post Posted: Apr 04, 07 15:12

Harlan,

there is also a GUI for VDK that works fairly well. I've used it quite effectively in the past, and it can be found on petruska.stardock.net/...Mware.html where you can find also other useful VMWare-related disk manipulation software.

Speaking of which, sometimes (I would say about 20% of the times) I've had stability problems when using the VDK driver on a Windows XP SP2 machine, that crashed (with the BSOD) when I unmounted a dd image. Did you experience similar problems?

Cheers,
-- Cosimo  
 
  

Marat
Member
 

Re: Mounting an image

Post Posted: Apr 04, 07 15:37

cosimo,
I've had stability problems when using the VDK driver on a Windows XP SP2 machine, that crashed (with the BSOD) when I unmounted a dd image. Did you experience similar problems?


I am used vdk long time and dont have any problems on Windows XP SP2.  
 
  

jaclaz
Senior Member
 

Re: Mounting an image

Post Posted: Nov 16, 07 21:56

Hallo,
I am the author of the everyday increasingly outdated small pseudo-GUI for VDK.EXE you can find here:
home.graffiti.net/jacl...M/vdm.html

I just want to let you know that a handy way to mount "dd-like" images is to use VMWare 2.00 .pln descriptor files, see this:
www.msfn.org/board/ind...80281&st=1
This way the "dd-like" image can be mounted with the "correct" geometry, as VDK defaults normally to a 64/32 one.

To automatically create a .pln file descriptor for the image you have, you are free to "borrow" code from this other small batch of mines (MBRbatch/Mkimg):
www.boot-land.net/foru...t3191.html

Moreover, there is a new Filesystem driver, IMDISK:
www.ltr-data.se/opencode.html
www.boot-land.net/foru...k-f59.html
(you will need to specify a "hidden sectors" offset to mount "full" HD images)

Here is a thread where I try to collect all links I can find to Ramdisk/Filedisk drivers:
www.boot-land.net/foru...topic=1507

Finally, there are a number of absolutely FREEWARE "dd-like" tools for Windows, I use a lot dsfo/dsfi from the DSFOK toolkit:
members.ozemail.com.au.../freeware/

But in this thread there are a few other options:
www.911cd.net/forums//...opic=16534

jaclaz  
 
  

keydet89
Senior Member
 

Re: Mounting an image

Post Posted: Nov 17, 07 01:32

jaclaz,

I'm finding that the IMDisk utility keeps wanting to format the drive whenever I mount a dd image file as a drive. My goal is to open an image file ("image.dd") and mount it as an F:\ drive, as read-only.  
 
  

jaclaz
Senior Member
 

Re: Mounting an image

Post Posted: Nov 17, 07 14:53

- keydet89
jaclaz,

I'm finding that the IMDisk utility keeps wanting to format the drive whenever I mount a dd image file as a drive. My goal is to open an image file ("image.dd") and mount it as an F:\ drive, as read-only.

If the "dd image" is that of a "whole" hard disk, you need to supply IMDISK the correct offset to the bootsector of the partition you want to mount, making it skip the MBR+hidden sectors.
On most of modern hard disks, geometry is set to nx255x63, so the first partition is 63 sectors away from the beginning.
Consequently, you need to tell IMDISK to have an "Image file offset" of 63 and set the "Unit of image offset" as blocks, or set "Image file offset" to 63x512=32256 and set the "Unit of image offset" as bytes.
If the volume you want to mount is second or further partition, you need to find it's start (the bootsector) and "feed" it to IMDISK.

VDK, on the other hand, parses the contents of the MBR and mounts partition(s) correctly.

In other words, VDK is a "Virtual Hard Disk" driver, whilst IMDISK is a "Virtual Partition" or "Virtual Filesystem" driver.

VDK creates in 2K/XP a normal "low-level" drive link, like \\.\PHYSICALDRIVEn, whilst IMDISK treats each mounted volume as it were a "superfloppy".

If you use (as you should until you get familiarity with IMDISK) the control panel GUI, and mount an image with the wrong offset, the data in the "Filesystem" column will be "N/A", whilst if you mount it with the right one, the correct filesustem type will appear (of course limited to FAT, FAT32 or NTFS unless you have some other IFS filesystem drivers installed).

jaclaz  
 
  

keydet89
Senior Member
 

Re: Mounting an image

Post Posted: Nov 17, 07 17:48

Jaclaz,

Thanks. I think I'll stick w/ VDK...

H  
 

Page 6 of 10
Page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next