Notifications
Clear all

DMG Joiner  

  RSS
bjh505
(@bjh505)
New Member

Hello,

I have a DMG image that is in three segments .dmg, .002.dmgpart, and .003dmgpart that my forensic tools (Griffeye, IEF) are having issues reading. What I would like to do is combine them into one full .dmg image (which I would assume will alleviate the problem). Is there a command I could use in the terminal that can combine these parts? Do not want to us a third party tool if I do not have to…

Have tried various commands with "hdiutil convert" so far and it just recreates the exact same parts unattached. Thank you.

Quote
Posted : 17/04/2018 2:07 pm
mcman
(@mcman)
Active Member

I don't have a joiner program to suggest but curious what created the segmented DMG? I can work with our guys to add support for it, just need a few sample DMG images. We'll support regular DMGs, I just haven't seen the segmented ones before in any of the tools I use.

Let me know and I'll talk to our guys about adding it in.

Jamie McQuaid
Magnet Forensics

ReplyQuote
Posted : 17/04/2018 3:08 pm
jaclaz
(@jaclaz)
Community Legend

Have tried various commands with "hdiutil convert" so far with no success. Thank you.

Which EXACT command(s) did you try?

Should be


hdiutil convert firstFile.dmg -format UDRO -o output.dmg
or

hdiutil convert firstFile.dmg -format UDRW -o output.dmg

it should get the .002.dmgpart and .003.dmgpart automatically.

https://ss64.com/osx/hdiutil.html
https://apple.stackexchange.com/questions/44786/what-are-dmgpart-files-and-what-tools-can-create-merge-or-manage-them

However most probably they are simply "dd images" that can be concatenated with dd or with a cat command.

@macman
It is seemingly a built-in functionality of hdiutil, see the above links, the GUI tool seems like being able to create the segmented images but not to re-merge them together? ?

jaclaz

ReplyQuote
Posted : 17/04/2018 3:14 pm
bjh505
(@bjh505)
New Member

This exact command "hdiutil convert firstFile.dmg -format UDRO -o output.dmg" even tried segment sizing with -segmentSize 03t to no avail.

It is not combing the parts just copying them "as is" to the new output. Would the UDRW format make any difference?

ReplyQuote
Posted : 17/04/2018 3:32 pm
bjh505
(@bjh505)
New Member

I don't have a joiner program to suggest but curious what created the segmented DMG? I can work with our guys to add support for it, just need a few sample DMG images. We'll support regular DMGs, I just haven't seen the segmented ones before in any of the tools I use.

Let me know and I'll talk to our guys about adding it in.

Jamie McQuaid
Magnet Forensics

Hello Jamie,

We do not have a MAC imaging tool outside of Paladin and it does not recognize FileVault encryption or a way to dismantle it so I just used our Mac Station to create a .DMG. However, it is a 3TB External drive and is segmenting the image into parts 001.dmgpart etc (there is nothing I have seen to prevent this from happening using the Disk Utility App. IEF will read the first part but not the second and third. Currently using IEF 6.7.2. Thank you.

ReplyQuote
Posted : 17/04/2018 3:37 pm
mcman
(@mcman)
Active Member

Thanks for the extra info guys, I suspect it's the .dmgpart extension at the end that's throwing our tools off as we'll join most other types of segmented files (001/002 or 0001/0002, zip/z01/z02,etc.). I chat with the devs to see if we can add it in. Totally makes sense to segment those as well especially when dealing with images that size.

@jaclaz, thanks for the tool suggestion, I'll use it to create a few samples of my own for testing.

Jamie

ReplyQuote
Posted : 17/04/2018 4:07 pm
jaclaz
(@jaclaz)
Community Legend

Would the UDRW format make any difference?

No.
It is possible (the man is not at all clear in this regard) that the "reassembling feature" in hdiutil was only present in some peculiar OSX version.

Try using dd or cat, it is confirmed that those images are just "dd" or "raw" chunks that you can concatenate
https://www.blackbagtech.com/blog/2011/05/23/understanding-dmg-files-part-3-of-3/

As a final note in this series, it's important to understand that a .dmg file is the same as a raw ".dd" file. It simply has a different extension. You can arbitrarily change the extension from .dd to .dmg and back again. The advantage to using .dmg extension is that on a Mac, you can double-click the file to mount it as a volume. The latter isn't possible to do if the file has a .dd extension.

There is a difference when it comes to split images. For raw .dd images, the extensions are just a sequence such as .000, .001, .002 and so on. For .dmg files, they need to be set as .dmg for the first segment, .002.dmgpart for the second, .003.dmgpart for the third and so on.

It seems like you should be able to mount the whole image by mounting just the 1st part and then you can re-image the mounted image, though it seems overkill.

jaclaz

ReplyQuote
Posted : 17/04/2018 4:55 pm
Share: