Lect10 - Mounting Flashcards
How can you show the partition table of a block device?
# fdisk -l /dev/sdX (or # gdisk …)
How can you identify the file system?
# file -s /dev/sdX or # file -s <imagefile></imagefile>
What is a loop device and how does it work?
The loop device allows us to associate a file with a device node. Once the file is associated, we can act on the loop device as if it were a disk or volume.
# losetup /dev/loop0 -o $((2048*512)) –sizelimit $((1021952*512)) evid.raw
then: mount -t ntfs -o ro /dev/loop0 /mnt/analysis
How do you unmount a loop device?
root@forensicbox:~# umount /mnt/analysis
root@forensicbox:~# losetup -d /dev/loop0
root@forensicbox:~# losetup
returns nothing…
How can you specify a loop in the mount command?
# mount -t ntfs -o ro,loop,offset=$((2048*512)) evid.raw /mnt/analysis
- -t ntfs-3g : NTFS file system
- -t vfat : FAT file system
- -t ext4 : EXT4 file system
What is kpartx and how does it work?
f there are multiple partitions in an image, size limits for consecutive loop devices might become a concern. To ease the task of associating multiple partitions with loop devices, we use kpartx.
# kpartx -a -r image.raw
- -r : Make the mappings read only
- -a : Add them all at once
- -l : list partitions devmappings that would be added by -a
- -g : force GUID partition table (GPT)
Once we execute the command above, our mappings are created and we can now access each partition through the /dev/mapper/loop0pX device.
- # mount -t ext4 -o ro /dev/dm-0 /mnt/analysis OR
- # mount -t ext4 -o ro /dev/mapper/loop0p1 /mnt/analysis
How can you unmount with kpartx?
# kpartx -d image.raw
How can you mount E01 images?
Mount:
- # ewfmount image.E01 /mnt/ewf
- # fdisk -l /mnt/ewf/ewf1
- # kpartx -r -a /mnt/ewf/ewf1
- # file -s /dev/dm-*
- # mount -o ro -t ntfs-3g /dev/mapper/loop0p1 /mnt/analysis
Unmount:
- # umount /mnt/analysis
- # kpartx -d /mnt/ewf/ewf1
- # fusermount -u /mnt/EWF
How can you mount split images?
Mount:
- # affuse image.000 /mnt/AFF
- # fdisk -l /mnt/aff/able_3.raw
- # kpartx -r -a /mnt/aff/able_3.raw
- # file -s /dev/dm-*
- # mount -o ro -t ntfs-3g /dev/mapper/loop0p1 /mnt/analysis
Unmount:
- # umount /mnt/analysis
- # kpartx -d /mnt/aff/able_3.raw
- # fusermount -u /mnt/AFF/
What are those additional mount options for:
- noatime
- nodev
- nosuid
- Do not update inode access times on this filesystem
- Do not interpret character or block special devices on the file system.
- Do not allow set-user-identifier or set-group-identifier bits to take effect.