Mount split dd imag...
 
Notifications
Clear all

Mount split dd image on linux

7 Posts
5 Users
0 Likes
5,836 Views
pakim
(@pakim)
Posts: 30
Eminent Member
Topic starter
 

Hi all,

almost every imaging tool nowadays splits the acquired images by default in chunks of 2/4 GB. Hard disks are increasingly growing and it often happens to deal with 500 GB -> 1 TB raw images, even bigger sometimes.

In windows there are plenty of tools - some of them free of charge - which can mount the split image and let users browse through the files or even map its filesystems to drive letters (Paraben P2 Explorer, FTK Imager, ImDisk, Pro Discover Basic and others).

In linux, tools such as TSK with Autopsy/PTK or PyFLAG can cope with split images for tasks like file analysis, string search, carving, file retrieval, etc… but when it comes to mounting such images the answer is always the same first "cat image* > bigimage.dd" and then mount the single partitions contained in bigimage.dd.

The "cat image*" part might mean concatenating hundreds or even thousands of chunks - which might take hours and twice the space as the original split image - only to be able to mount the image. I'd like to comfortably browse/search/copy files without being forced to browse the FS through web interfaces such as Autopsy/PyFLAG/PTK. Furthermore, processes such as Super Timeline creation, registry/event/prefetch analysis, browser history tracking, etc… require the FS to be mounted to extract the target files.

The final question is - you might have guessed - is there a way to mount split dd raw images under Linux without being forced to join the parts in a single big image? My first thought go to a kind of loop device which can map the multiple chunks to a single file, a kind of abstraction/mapping layer in other words.

Thanks for your help,
Paolo

 
Posted : 01/04/2010 4:58 am
(@farmerdude)
Posts: 242
Estimable Member
 

Hi Paolo,

Sure, SMART for Linux by ASR Data!

Cheers!

farmerdude

www.onlineforensictraining.com

www.forensicbootcd.com

 
Posted : 05/04/2010 6:41 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

The most recent issue of the ITB showcases a tool called "poorcase" that does exactly that!

http//intotheboxes.wordpress.com/2010/04/05/into-the-boxes-issue-0x1/

 
Posted : 05/04/2010 7:32 pm
pakim
(@pakim)
Posts: 30
Eminent Member
Topic starter
 

Thanks Farmerdude
when possibile I tend to privilege OS/free software but I will give SMART a try.

Thanks Harlan,
poorcase seems a good project, I'll follow the course of its development and possibly contribute.

Googling around I read about using mdadm to mount the split image as if it was a raid0 striped disks array, then read about creating a vmdk file out of the raw chunks and mounting it, I eventually ran into afflib, which sounded interesting. From the afflib.org FAQs

What disk image formats does affuse support?
The same disk image formats as AFFLIB raw, splitraw, AFF, AFD, AFM, EnCase, and VMDK (currently). Of course, it doesn’t make a whole lot of sense to use affuse to mount a raw image, since that would just turn a raw image into a raw image. Why would you want to do that?

Humm… splitraw… maybe it makes a bit of sense (to me, at least) to use affuse to mount a raw image instead of AFF images (with all due respect to AFF images!).

Take a big disk imaged in, say, 80 chunks with tools like FTK Imager or dc3dd or many others, stored on a file system with limits on file sizes (e.g. FAT) mysplitrawimage.001, mysplitrawimage.001, …, mysplitrawimage.080

# affuse mysplitrawimage.001 /mnt/fuse

# ls /mnt/fuse
mysplitrawimage.001.raw

(the size of mysplitrawimage.001.raw is the same as the whole imaged disk, not the first chunk though the name may be misleading)

mount -o ro,loop,offset=32256,show_sys_files /mnt/fuse/mysplitrawimage.001.raw /mnt/mymountedimage

In /mnt/mymountedimage there is the first partition of the raw image mounted and browsable. The same goes for the remaining partitions.

So it worked, I could mount the image and work seamlessly with files. No more need to join chunks on a ext/ntfs fs by cat-ting splitimage.0* > bigimage.raw. What do you think about this solution? Am I overlooking the reason(s) why I should buy a software to accomplish this task or use a script which turn files into block devices, used by device mapper, to reconstruct the disk from split disk images?

Thanks
Paolo

 
Posted : 08/04/2010 2:23 am
(@indur)
Posts: 67
Trusted Member
 

Affuse is a great solution – we've used it to provide a DD-format version of EnCase images.

 
Posted : 08/04/2010 8:22 pm
(@farmerdude)
Posts: 242
Estimable Member
 

Hi Paolo,

If you have a method that works for you and you're happy with it stick with it! I think SMART (and possibly others) may ease the pain, if you will, by "simply" providing a point-and-click interface that some folks may prefer over command line work. There may also be bells and whistles with the commercial apps … logging, file system meta data, processing, ETC., that all happen during the image import phase.

Cheers!

farmerdude

www.onlineforensictraining.com

www.forensicbootcd.com

 
Posted : 08/04/2010 9:06 pm
(@juju22)
Posts: 3
New Member
 

Just for the archives, afflib solution also works on Macos
but you need to install it with fuse/macfuse which is not supported by devs (need to comment a line in configure.ac + autoconf)


$ mkdir /Volumes/fuse
$ affuse SCHARDT.001 /Volumes/fuse
$ file /Volumes/fuse/SCHARDT.001.raw
/Volumes/fuse/SCHARDT.001.raw x86 boot sector, Microsoft Windows XP MBR, Serial 0xec5dec5d; partition 1 ID=0x7, active, starthead 1, startsector 63, 9510417 sectors, code offset 0xc0

$ hdiutil mount /Volumes/fuse/SCHARDT.001.raw
hdiutil mount failed - not recognized
$ hdid /Volumes/fuse/SCHARDT.001.raw
hdiutil mount failed - not recognized

$ fdisk /Volumes/fuse/SCHARDT.001.raw
Disk /Volumes/fuse/SCHARDT.001.raw geometry 592/255/63 [9514496 sectors]
Signature 0xAA55
Starting Ending
# id cyl hd sec - cyl hd sec [ start - size]
------------------------------------------------------------------------
*1 07 0 1 1 - 591 254 63 [ 63 - 9510417] HPFS/QNX/AUX
2 00 0 0 0 - 0 0 0 [ 0 - 0] unused
3 00 0 0 0 - 0 0 0 [ 0 - 0] unused
4 00 0 0 0 - 0 0 0 [ 0 - 0] unused
$ disklabel /Volumes/fuse/SCHARDT.001.raw
disklabel /Volumes/fuse/SCHARDT.001.raw must be a disk device

$ cp /Volumes/fuse/SCHARDT.001.raw /Volumes/Data/SCHARDT.dmg
cp /Volumes/fuse/SCHARDT.001.raw Operation not permitted
$ ls -l /Volumes/fuse/SCHARDT.001.raw /Volumes/Data/SCHARDT.dmg
-r-------- 1 user staff 4870635520 15 aoû 1025 /Volumes/Data/SCHARDT.dmg
-r--r--r-- 1 root wheel 4871421952 1 jan 1970 /Volumes/fuse/SCHARDT.001.raw
$ hdiutil attach /Volumes/Data/SCHARDT.dmg
/dev/disk2 FDisk_partition_scheme
/dev/disk2s1 Windows_NTFS /Volumes/Untitled
## umount
$ ln -s /Volumes/fuse/SCHARDT.001.raw /Volumes/Data/test.dmg
$ hdiutil attach /Volumes/Data/test.dmg
/dev/disk2 FDisk_partition_scheme
/dev/disk2s1 Windows_NTFS /Volumes/Untitled

 
Posted : 15/08/2010 1:34 pm
Share: