in reply to disk image forensics
However, directly trying to mount a hard drive image fails, because the start of a disk is not the start of the first partition.mount -o loop,ro,noatime cdrom_image.iso mountpoint/ mount -o loop,ro,noatime partition_image.img mountpoint/
The sector counts are little-endian integers, easily parsable with unpack("V"). Using the offset of the partition, it is possible to mount a partition within a hard drive image file.( Description of MSDOS-style partition table and master boot record as + gleaned from the soure of /parted/ and /grub/. ) ---------------------------------------------------------------- 0 - 6 +3 boot code boot code boot code boot code boot code boot code ---------------------------------------------------------------- 64 - +127 boot code boot code boot code boot code boot code boot code ---------------------------------------------------------------- 128 - + 191 boot code boot code boot code boot code boot code boot code ---------------------------------------------------------------- 192 - + 255 boot code boot code boot code boot code boot code boot code ---------------------------------------------------------------- 256 - + 319 boot code boot code boot code boot code boot code boot code ---------------------------------------------------------------- 320 - + 383 boot code boot code boot code boot code boot code boot code ---------------------------------------------------------------- 384 - + 447 boot code boot code boot code boot code (to 440) AAAABB( ---------------------------------------------------------------- 448 - + 511 partion one )(partion two )(partion three )(partion four )CC AAAA = mbr_sig BB = unknown CC = magic Each 16 byte partion entry is ---------------- 0 - 15 ABBBCDDDEEEEFFFF C = type BBB,DDD = EEEE = start sector from 0 FFFF = length in sectors
On some older systems, mount only accepts offsets up to 2gb. A simple way to check if this is a problem is to runmount -o ro,noatime,loop,offset=<sector offset * 512> hard_drive_image +.img mountpoint/
|
|---|