The problem with a disk image is that it's binary data in a format that depends on many factors.

What's the filesystem? That determines many other things. How are attributes, ownership, and timestamps stored? Is there journaling involved? If so, what part of the data is the journal?

What's the block size? Many filesystems allow different block sizes to be configured.

What's the byte order of the stored data? Is it determined by the filesystem spec, or does the filesystem use whatever is native to the platform?

The best reference for a filesystem is often the implementation of the FS driver for the platform on which the image was created. IOW, it's usually easiest to mount the file system (possibly read-only) and look at the files and directories that way.

Perl could certainly be used to read and manipulate data according to a filesystem specification, but you're looking at reinventing many very intricate wheels.

In reply to Re: disk image forensics by mr_mischief
in thread disk image forensics by cutlass2006

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.