====== Ubuntu - Mount - Loopback mount full-disk 'dd' images ====== Carving out partitions from within a full disk "dd" image by running it through another "dd" is highly inefficient both in terms of disk space and analyst time used. A better method is to use a loopback mount. **Loopback mount** supports an "offset" parameter that lets you mount a partition directly from within a larger full-disk image: /media/disk-1# ls -al total 39082701 drwxrwxrwx 1 root root 4096 2009-07-12 13:33 . drwxr-xr-x 4 root root 4096 2009-08-18 19:04 .. -rwxrwxrwx 1 root root 878 2009-07-07 11:46 fdisk -rwxrwxrwx 1 root root 701 2009-07-07 11:47 hdparm -rwxrwxrwx 2 root root 40020664320 2009-07-07 14:34 image-sda -rwxrwxrwx 1 root root 43 2009-07-07 12:02 md5sum -rwxrwxrwx 1 root root 43 2009-06-29 13:13 md5sum-sda drwxrwxrwx 1 root root 0 2009-07-11 19:03 $RECYCLE.BIN fdisk -ul image-sda You must set cylinders. You can do this from the extra functions menu. Disk image-sda: 0 MB, 0 bytes 255 heads, 63 sectors/track, 0 cylinders, total 0 sectors Units = sectors of 1 * 512 = 512 bytes Disk identifier: 0x9c879c87 Device Boot Start End Blocks Id System image-sda1 * 63 78140159 39070048+ 7 HPFS/NTFS Partition 1 has different physical/logical endings: phys=(1023, 254, 63) logical=(4863, 254, 63) mount -o ro,loop,offset='''32256''' -t auto image-sda \ /media/image cd .. cd image ls -1 AUTOEXEC.BAT favorites ntldr Start Menu blp INFCACHE.1 pagefile.sys System Volume Information boot.ini IO.SYS Program Files temp CONFIG.SYS MSDOS.SYS RECYCLER WINDOWS Documents and Settings NTDETECT.COM spoolerlogs The magic **32256** offset passed to "mount" is easily explained as the start of the partition you are interested in (63 in this case) multiplied by the unit size (512 in this case). If you have more than one partition, just repeat the above steps for the other slices. ---- ===== References ===== https://www.michaelboman.org/how-to/mounting-partitions-from-full-disk-dd-images [[http://isc.sans.org/diary.html?storyid=6991|ISC Diary: Forensics: Mounting partitions from full-disk 'dd' images]]