NTFS Analysis on DD image

aina · 2017-11-02T17:58:32Z

I'm trying to analyze a given USB image (.dd) to find out the location of the MFT table. The problem is I'm having trouble to mount the DD image.My objective is want to use command like mmls, fls and icat to locate the MFT table. I tried on different image(.vdi) and I was able to do so. I just want to understand better on raw file like DDWhen I run fdisk -l ntfs5.dd here's the output that I get fdisk -l ntfs5.dd Disk ntfs5.dd 25 MiB, 26214400 bytes, 51200 sectors Units sectors of 1 * 512 = 512 bytes Sector size (logical/physical) 512 bytes / 512 bytes I/O size (minimum/optimal) 512 bytes / 512 bytes Disklabel type dosDisk identifier 0x6f20736bDevice Boot Start End Sectors Size Id Typentfs5.dd1 778135908 1919645538 1141509631 544.3G 72 unknownntfs5.dd2 168689522 2104717761 1936028240 923.2G 65 Novell Netware 386ntfs5.dd3 1869881465 3805909656 1936028192 923.2G 79 unknownntfs5.dd4 0 3637226495 3637226496 1.7T d unknownPartition table entries are not in disk order.Here is the command that used to mount the DD imagemount -o loop,offset=$((168689522*512)),ro,noatime,noexec,show_sys_files test1/ntfs5.dd newmountdir/Here's the error messagemount wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error In some cases useful info is found in syslog - try dmesg | tail or so.Just wondering where did I go wrong in mounting the image? and apologize for the messy fdisk output.

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by keydet89 8 years ago

12 Posts

8 Users

0 Reactions

5,166 Views

RSS

sdenis

(@sdenis)

New Member

Joined: 15 years ago

Posts: 3

05/12/2017 5:46 pm

This sure looks like an assignment from the UCD MSc program

ReplyQuote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

06/12/2017 4:42 pm

Thanks for the info @JaredDM. I'm able to open the file in hex. The challenge that i'm actually having is the USB image (ntfs5.dd) was on NTFS previously and then it got formatted to FAT. I need to locate the MFT and its timestamp, files, and its attribute. I'm new to NTFS analysis, do you have any other suggestion or workaround?

Fascinating.

If the format of the device *was* NTFS, but was reformatted to FAT, I'd recommend going back to @JaredDM's solution.

You're not doing NTFS analysis at this point, you're trying to NTFS recovery. So…why not just locate all instances of "FILE0", grab 1024 bytes from (and including) the "F", and the proceed on. Dump all of these to a file, and you'll have what could be an MFT, or a partial one.

*Then* you can do some modicum of NTFS analysis, albeit without the actual file system.

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
286 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed