| The 12 Days of dd: Day Twelve | | Print | |
| Written by Ryan Meeks | |||
| Monday, 05 January 2009 00:00 | |||
|
On the twelfth day of dd, we use losetup to view the image files we’ve made with dd. Let’s say you want to take a look at one of those dd image files you made. By using the command losetup you can turn an image file into a device so that you can do just that. First go to the directory that your image is stored. Next, use the basic losetup command which looks like this: # losetup /dev/loop0 output.img This will make the contents of “output.img” mountable like any other disk partition. Multiple loops can be setup by changing the number at the end (loop0, loop1, etc.) Use the standard mount command with /dev/loop0 as your device. # mount /dev/loop0 /mnt If you want to go directly to a mounted image you can use the following command: # mount -o loop output.img /mnt This command will do the same thing as the first two commands listed and you can immediately access the mounted image at /mnt. The number at the end of the loop will automatically be assigned. When you are finished with the image you can also unmount with the standard “umount” command. Then to remove the image from the loop, use the following command: # losetup -d /dev/loop0 In order to see loops that are active, use this command: # losetup –a This technique will only be able to show one partition at a time. If you have an image that contains multiple partitions, there are several extra steps to take in order to view the contents. Start by creating a loop for the whole image as per the first command. Next, input the following command: # fdisk /dev/loop0 Next enter u to change diplay/entry units to sectors. Then enter p to see your device information. You will see something like this: Disk /dev/loop0: 500.1 GB, 500106780160 bytes Device Boot Start End Blocks Id System Choose which partition you want to view and multiply the “Start” sector number by 512. (Example: For the first partition starting at 63: 512*63=32256). Enter q to exit back to the command prompt.Now we can set our first partition to a new loop. If you want to view all of the partitions, you will need a separate loop and mount point for each. Create your first partitions loop use this command: # losetup –o32256 /dev/loop1 output.img In this command the “-o” should be followed by the number derived by multiplying your starting sector by 512. From here you can mount as normal and view your partitioned image. Changes can be made to your mounted image if the file system type allows for it. Well, that wraps things up for The Twelve Days of dd; we hope you've enjoyed them. We’ll continue blogging about other useful e-discovery and computer forensics topics, so remember to check back often, or add our blog as an RSS feed. Happy holidays!
|