MOUNTING PARTITIONS FROM AN IMAGE FILE ON LINUX
Linux is the best choice for a forensics platform for several reasons, regardless of operating system used by the subject system. One of the many reasons that this is true is the ease with which an image file can be mounted. Once filesystems in an image have been mounted all of the standard system tools can be used as part of the investigation.
Linux tools, such as fdisk, can also be used directly on an image file. This fact might not be immediately obvious, but we will show it to be true. The key to being able to use our normal tools is Linux’s support for loop devices. In a nutshell, a loop device allows a file to be treated as a block device by Linux.
The command for running fdisk on an image is simply fdisk . After fdisk has been run, the partition table is easily printed by typing p <enter>. The key piece of information you need for each partition to mount it is the starting sector (LBA). The results of running fdisk and printing the partition table for a Windows virtual machine image are shown in Figure 5.4. Note that in most cases we do not need to know the partition type as the Linux mount command is smart enough to figure this out on its own.
The single primary partition in the image from Figure 5.4 begins at sector 63. In order to mount this image we need to first create a mount point directory by typing sudo mkdir
FIGURE 5.4
Running fdisk on an image file. Note that root privileges are not required to run fdisk on an image. The starting sector will be needed later for mounting.
The options required to mount an image in a forensically sound way are ro (read-only) and noatime (no access time updating). The second option might seem unnecessary, but it insures that certain internal timestamps are not updated accidentally. Mounting an image file requires the loop and offset options.
Putting all of these together, the full mount command is sudo mount -o ro,noatime,loop,offset=
Using our bash shell trick, the proper command is sudo mount -o ro,noatime,loop,offset=$((
FIGURE 5.5
Mounting a single primary partition from an image file.
What if your image contains extended partitions? The procedure is exactly the same. An image with an extended partition is shown in Figure 5.6. Note that fdisk translates the relative sector addresses inside the extended partition to absolute addresses in the overall image. Also note that the swap partition inside the extended primary partition starts two sectors into the partition. The first sector is used by the extended partition’s mini-MBR and the second is just padding to make the swap partition start on an even-numbered sector.
The mini-MBR from the extended partition in the image from Figure 5.6 is shown in Figure 5.7. The partition type, 0x82, is highlighted in the figure. Recall that this is the type code for a Linux swap partition. Notice that the second MBR entry is blank indicating that there are no extended partitions nested inside this one. The dd command was used to generate this figure.
FIGURE 5.6
An image file with an extended partition.
FIGURE 5.7
A mini-MBR from an extended partition. The highlighted byte is for the partition, 0x82, which indicates this is a swap partition. Note that the second entry is blank indicating there are no nested extended partitions under this one.
A quick way to view a single sector from an image is to issue the command dd skip= | xxd. The command used to generate Figure 5.7 was dd skip=33556478 bs=512 count=1 if=pentester-academy-subject1-flat.vmdk | xxd. It is important to realize that dd uses blocks (with a default block size of 512) whereas mount uses bytes. This is why we don’t have to do any math to use dd.
The commands required and also the results of mounting the primary partition from Figure 5.6 are shown in Figure 5.8. Notice that my Ubuntu system automatically popped up the file browser window shown. This is an example of behavior that can be customized using udev rules as described earlier in this book.
FIGURE 5.8
Mounting a Linux partition in an image from the command line.
What if your subject system is using GUID Partition Tables (GPT)? The results of running fdisk against such a system are shown in Figure 5.9. The only partition displayed covers the entire disk and has type 0xEE. This is the protective MBR discussed earlier in this chapter. Note that fdisk displays a warning that includes the correct utility to run for GPT drives.
FIGURE 5.9
Running fdisk on a drive that uses GUID Partition Tables.
The results of running parted on the GPT drive from Figure 5.9 are shown in Figure 5.10. In the figure we see a system partition which is marked as bootable, several NTFS partitions, an ext4 and Linux swap partitions. This is a computer that came preloaded with Windows 8.1 with secure boot (which really means make it difficult to boot anything other than Windows) which has had Linux installed after the fact.
FIGURE 5.10
Result of running parted on the GPT drive from Figure 5.9.
You may have noticed that the results displayed in Figure 5.10 specify the start and stop of partitions in kilobytes, megabytes, and gigabytes. In order to mount a partition we need to know the exact start of each partition. The unit command in parted allows us to specify how these values are displayed. Two popular choices are s and B which stand for sectors and bytes, respectively. The results of executing the parted print command using both sectors and bytes are shown in Figure 5.11.
FIGURE 5.11
Changing the default units in parted to show partition boundaries in sectors and bytes.
Once the starting offset is known, mounting a partition from a GPT image is exactly the same as the preceding two cases (primary or extended partitions on MBR-based drives). The parted utility can be used on MBR-based drives as well, but the default output is not as easy to use. Next we will discuss using Python to make this mounting process simple regardless of what sort of partitions we are attempting to mount.