In the previous post we created a forensic copy of a disk using dc3dd, let's now mount that image.
Before mounting the image, let see what we can learn about the image from "fdisk -l"
sansforensics@securitynik:~/firefox-analysis$ fdisk -l securitynik-firefox.dc3dd
from the above we see a FAT 16 partition start at 32 and ends at 3915575. To get the actual starting point of the sector multiply the starting point of 32 by 512 which is a sector size.
if we multiply 32 x 512 we get 16,384.
Now that we have the actual offset of 16,384 let mount the partition.
sansforensics@securitynik:~/firefox-analysis$ sudo mount --read-only --options=loop,offset=16384 securitynik-firefox.dc3dd tmp/
Now we have executed the mount command, let's verify that the image has been mounted successfully
sansforensics@securitynik:~/firefox-analysis$ df -kh
So far so good. Now that we have the mounted drive, let's look at analyzing the various sql databases in the next file.
Other posts in this series:
Reference:
http://linux.die.net/man/8/mount
http://madduck.net/blog/2006.10.20:loop-mounting-partitions-from-a-disk-image/
No comments:
Post a Comment