You are not logged in.
Pages: 1
I've been following a book found here:
http://www.amazon.com/Real-Digital-Fore … 0321240693
So far its great - they provide a DVD with images of harddrives of "hacked" computers.
Of course, mounting those images requires a little loop magic, useage of fdisk -l and losetup and mounts and offsets and fun fun.
However, page 208 for those who can get a copy of the book, they discuss their first mounting of one of the image files they produce. The commands they say first are replicated on my box here, same result they get. Easy stuff.
[root@mistersaint forensic_duplication]$ losetup /dev/loop0 JBRWWW.dd
[root@mistersaint forensic_duplication]$ fdisk -l /dev/loop0
Disk /dev/loop0: 4311 MB, 4311982080 bytes
255 heads, 63 sectors/track, 524 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x963fa10d
Device Boot Start End Blocks Id System
/dev/loop0p1 * 1 523 4200966 7 HPFS/NTFS
However they say something odd right on the next line
We see that there is one partition (/dev/loop0p1) that is an NTFS file system. We expected that because the Web server was a Windows machine. We can mount the partition with the following command:
mount -r /dev/loop1 /mnt/part1
The logical files are now available in the directory /mnt/part1.
Notice that we mounted loop1 instead of loop0. This is beacuse each partition is associaed with the next greater loop device. Partition 1 is loop1, while partition 2 is loop2, and so on. Next we want to recover the deleted files.
Now - this is NOT what my machine does. At all. Using the command above, nothing. using losetup -a i see just loop0 in use. I know I just need to set the offset to be $((512*63)) and i can mount it. Easy enough. But what about when i get that linux hard drive, with 6 partitions. Yes, i could fdisk and multiply and such and such, but it really would be amazing if losetup worked like it did in the book. (Which is from October 3, 2005 btw).
I've read the preface/meet the authors/more stuff before chap1/etc here and no mention of what distro they are using.
Does anybody know what is it? Ive read the man page for losetup. Could it be a different kernel version that does not now currently support the feature they show in the book? Could it be a compile time flag that needs to be set?
Last edited by ptchinster (2009-07-17 03:47:50)
Offline
tried a pony?
Offline
tried a pony?
Thats what you get when you post a link in IRC i guess.
I found an even easier solution than doing maths, using kpartx, as follows:
http://www.novell.com/coolsolutions/tip/19568.html
Still i would like to know - is there something im missing with the straight up losetup command?
Offline
Pages: 1