±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35875
New Yesterday: 2 Visitors: 147

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

DMG Joiner

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

bjh505
Member
 

DMG Joiner

Post Posted: Apr 17, 18 13:07

Hello,

I have a DMG image that is in three segments .dmg, .002.dmgpart, and .003dmgpart that my forensic tools (Griffeye, IEF) are having issues reading. What I would like to do is combine them into one full .dmg image (which I would assume will alleviate the problem). Is there a command I could use in the terminal that can combine these parts? Do not want to us a third party tool if I do not have to...

Have tried various commands with "hdiutil convert" so far and it just recreates the exact same parts unattached. Thank you.  
 
  

mcman
Senior Member
 

Re: DMG Joiner

Post Posted: Apr 17, 18 14:08

I don't have a joiner program to suggest but curious what created the segmented DMG? I can work with our guys to add support for it, just need a few sample DMG images. We'll support regular DMGs, I just haven't seen the segmented ones before in any of the tools I use.

Let me know and I'll talk to our guys about adding it in.

Jamie McQuaid
Magnet Forensics  
 
  

jaclaz
Senior Member
 

Re: DMG Joiner

Post Posted: Apr 17, 18 14:14

- bjh505

Have tried various commands with "hdiutil convert" so far with no success. Thank you.


Which EXACT command(s) did you try?

Should be:

Code:
hdiutil convert firstFile.dmg -format UDRO -o output.dmg
or
Code:
hdiutil convert firstFile.dmg -format UDRW -o output.dmg

it should get the .002.dmgpart and .003.dmgpart automatically.

ss64.com/osx/hdiutil.html
apple.stackexchange.co...anage-them

However most probably they are simply "dd images" that can be concatenated with dd or with a cat command.

@macman
It is seemingly a built-in functionality of hdiutil, see the above links, the GUI tool seems like being able to create the segmented images but not to re-merge them together? Question

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 


Last edited by jaclaz on Apr 17, 18 14:34; edited 1 time in total
 
  

bjh505
Member
 

Re: DMG Joiner

Post Posted: Apr 17, 18 14:32

This exact command: "hdiutil convert firstFile.dmg -format UDRO -o output.dmg" even tried segment sizing with -segmentSize 03t to no avail.

It is not combing the parts just copying them "as is" to the new output. Would the UDRW format make any difference?  

Last edited by bjh505 on Apr 17, 18 15:00; edited 1 time in total
 
  

bjh505
Member
 

Re: DMG Joiner

Post Posted: Apr 17, 18 14:37

- mcman
I don't have a joiner program to suggest but curious what created the segmented DMG? I can work with our guys to add support for it, just need a few sample DMG images. We'll support regular DMGs, I just haven't seen the segmented ones before in any of the tools I use.

Let me know and I'll talk to our guys about adding it in.

Jamie McQuaid
Magnet Forensics


Hello Jamie,

We do not have a MAC imaging tool outside of Paladin and it does not recognize FileVault encryption or a way to dismantle it so I just used our Mac Station to create a .DMG. However, it is a 3TB External drive and is segmenting the image into parts 001.dmgpart etc (there is nothing I have seen to prevent this from happening using the Disk Utility App. IEF will read the first part but not the second and third. Currently using IEF 6.7.2. Thank you.  
 
  

mcman
Senior Member
 

Re: DMG Joiner

Post Posted: Apr 17, 18 15:07

Thanks for the extra info guys, I suspect it's the .dmgpart extension at the end that's throwing our tools off as we'll join most other types of segmented files (001/002 or 0001/0002, zip/z01/z02,etc.). I chat with the devs to see if we can add it in. Totally makes sense to segment those as well especially when dealing with images that size.

@jaclaz, thanks for the tool suggestion, I'll use it to create a few samples of my own for testing.

Jamie  
 
  

jaclaz
Senior Member
 

Re: DMG Joiner

Post Posted: Apr 17, 18 15:55

- bjh505
Would the UDRW format make any difference?

No.
It is possible (the man is not at all clear in this regard) that the "reassembling feature" in hdiutil was only present in some peculiar OSX version.

Try using dd or cat, it is confirmed that those images are just "dd" or "raw" chunks that you can concatenate:
www.blackbagtech.com/b...rt-3-of-3/


As a final note in this series, it's important to understand that a .dmg file is the same as a raw ".dd" file. It simply has a different extension. You can arbitrarily change the extension from .dd to .dmg and back again. The advantage to using .dmg extension is that on a Mac, you can double-click the file to mount it as a volume. The latter isn't possible to do if the file has a .dd extension.

There is a difference when it comes to split images. For raw .dd images, the extensions are just a sequence such as .000, .001, .002 and so on. For .dmg files, they need to be set as .dmg for the first segment, .002.dmgpart for the second, .003.dmgpart for the third and so on.


It seems like you should be able to mount the whole image by mounting just the 1st part and then you can re-image the mounted image, though it seems overkill.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 1