Re: [sleuthkit-users] RE: Problem adding image

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Quoting: "Brian Carrier":
> > ln -s /dev/hda1 /home/niallc/Desktop/Locker/Thismachine/WIN2000/images
> >
> > and
> >
> > ln -s /dev/hda1 /home/niallc/Desktop/Locker//Thismachine/WIN2000/images
> >
> > I entered both exactly as typed above. In both cases when I hit refresh
> > there was no sign of my link/image.
> >
> What does
>
> ls -l /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1
>
> show?

Here is a step by step guide to achieve what you are trying to achieve, and
verify as you are going along, composed in mini-howto style:

***** Step 1, use the GUI, but empower yourself with the command line

I login to my linux box, and I bring up an xterm / "command prompt" and I get:

dindang:~ #

***** Step 2, know your hard disk.

I know that there is an IDE hard disk in my machine that contains a partition
which I would like to analyse, to get more info, I examine what the kernel knows
about IDE hard disks in my machine, and I already know they get mounted as
/dev/hd??? so I use the dmesg command, I can use the man command to find out
more about dmesg:

dindang:~ # man dmesg

NAME
       dmesg - print or control the kernel ring buffer

SYNOPSIS
       dmesg [ -c ] [ -n level ] [ -s bufsize ]

DESCRIPTION
       dmesg  is  used  to  examine  or  control  the kernel ring
       buffer.

       The program helps users to print  out  their  bootup  mes
       sages.   Instead of copying the messages by hand, the user
       need only:
              dmesg > boot.messages
       and mail the boot.messages file to whoever can debug their
       problem.

Basically at boot / start of any system device will result in a message being
posted to the kernel ring buffer, you hotplug a USB device, what the kernel does
with it gets noted here.... so we are looking for kernel messages relating to
hda or if it was a scsi disk we would have used sda etc. Dmesg on its own will
give back a lot of information, but I will pipe the output of it using | into
the grep command which I will use to filter for hda

dindang:~ # dmesg | grep hda
    ide0: BM-DMA at 0xfcd0-0xfcd7, BIOS settings: hda:pio, hdb:pio
hda: IC25N020ATCS04-0, ATA DISK drive
hda: safely enabled flush
hda: 39070080 sectors (20004 MB) w/1768KiB Cache, CHS=41344/15/63, UDMA(33)
 hda: hda1 hda2 hda3 hda4

I could have just searched for hda1 and got:

dindang:~ # dmesg | grep hda1
 hda: hda1 hda2 hda3 hda4

But basically I know from the above that there is a drive on my system mounted
as hda and it has 4 partitions, hda1-4

To find out whats in thos partitions use fdisk:

dindang:~ # fdisk

Usage: fdisk [-l] [-b SSZ] [-u] device
E.g.: fdisk /dev/hda  (for the first IDE disk)
  or: fdisk /dev/sdc  (for the third SCSI disk)
  or: fdisk /dev/eda  (for the first PS/2 ESDI drive)
  or: fdisk /dev/rd/c0d0  or: fdisk /dev/ida/c0d0  (for RAID devices)
  ...

Woops! I forgot that I must specify a paramater, the parameter must be a device,
not a partition, so /dev/hda1 can't be fdisked becuase its not a disk, but
/dev/hda can:

dindang:~ # fdisk /dev/hda

The number of cylinders for this disk is set to 41344.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
   (e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk /dev/hda: 15 heads, 63 sectors, 41344 cylinders
Units = cylinders of 945 * 512 bytes

   Device Boot    Start       End    Blocks   Id  System
/dev/hda1             1     19672   9294988+   c  Win95 FAT32 (LBA)
/dev/hda2   *     19673     19714     19845   83  Linux
/dev/hda3         19715     20795    510772+  82  Linux swap
/dev/hda4         20796     41344   9709402+  83  Linux

Command (m for help): q

dindang:~ #

From this I can see that /dev/hda1 is the windows partition using a FAT32
filesystem, and this I want to analyse / play with!

***** Step 3, checkout your current directory.

first I check to see where I am, this is important because all operations that I
do will take place wherever I am, unless I fully qualify the paths. I check this
with the print working directory command:

dindang:~ # pwd
/root
dindang:~ #

I am currently in /root, and lets see what I've got here, do a directory
listing:

dindang:~ #
dindang:~ #
dindang:~ # ls
.              .bash_history  .jbuilder4  .qt       .w3m              Desktop
..             .exrc          .kde        .skel     .wmrc             KDesktop
.ICEauthority  .gnupg         .mcop       .ssh      .xinitrc          bin
.Xauthority    .gtkrc-kde     .mcoprc     .viminfo  .xsession-errors  lucent
dindang:~ #

Now I am going to make a directory test, this is to hold my "images", and is the
equivalent of the task / autopsy image hold directory:

dindang:~ #
dindang:~ # mkdir test
dindang:~ #

Now, it makes sense to VERIFY what you've done, so do another directory listing:

dindang:~ # ls
.              .exrc       .mcop    .viminfo          Desktop
..             .gnupg      .mcoprc  .w3m              KDesktop
.ICEauthority  .gtkrc-kde  .qt      .wmrc             bin
.Xauthority    .jbuilder4  .skel    .xinitrc          lucent
.bash_history  .kde        .ssh     .xsession-errors  test

Yes, test is there, its in the list, lets see whats in the directory test:

dindang:~ # ls test
.  ..
dindang:~ #

just . and .. which are direcory navigation stubs, so the directory is empty.

dindang:~ # ln -s /dev/hda1 /root/test
dindang:~ # ls test
.  ..  hda1
dindang:~ # cd test
dindang:~/test # ls -l
total 8
drwxr-xr-x    2 root     root         4096 Mar  7 20:03 .
drwx------   15 root     root         4096 Mar  7 20:03 ..
lrwxrwxrwx    1 root     root            9 Mar  7 20:03 hda1 -> /dev/hda1
dindang:~/test #

***** Step 4, Link the partition you want to analyse into the "hold" directoy

To do this, we use the ln command, its the equivalent of making an alias to
somthing on a mac or a shortcut to somthing in windows.

first a little info on the ln command:

dindang:~/test # man ln
NAME
       ln - make links between files

SYNOPSIS
       ln [OPTION]... TARGET [LINK_NAME]
       ln [OPTION]... TARGET... DIRECTORY
       ln [OPTION]... --target-directory=DIRECTORY TARGET...

DESCRIPTION
       Create  a  link  to  the  specified  TARGET  with optional
       LINK_NAME.  If LINK_NAME is omitted, a link with the  same
       basename  as  the  TARGET is created in the current direc
       tory.  When using the second form with more than one  TAR
       GET,  the last argument must be a directory;  create links
       in  DIRECTORY  to  each  TARGET.   Create  hard  links  by
       default,  symbolic  links  with --symbolic.  When creating
       hard links, each TARGET must exist.

Btw.... I'm deliberately not showing all the info that man throws back, try the
command youself to get the full picture. Next I will link /dev/hda1 into
/root/test using the ln command:

dindang:~ # ln -s /dev/hda1 /root/test

Now if I do a directory listing of test:

dindang:~ # ls test
.  ..  hda1
dindang:~ #

I can see that along with the navigation stubs, there is somthing called hda1 in
there. Lets change our working directory from /root into /root/test and see more
whats in there:

dindang:~ # cd test
dindang:~/test # ls -l
total 8
drwxr-xr-x    2 root     root         4096 Mar  7 20:03 .
drwx------   15 root     root         4096 Mar  7 20:03 ..
lrwxrwxrwx    1 root     root            9 Mar  7 20:03 hda1 -> /dev/hda1
dindang:~/test #

The output of the ls -l tells us quite a bit:

drwxr-xr-x tells us that entry is a directory, it belongs to user root in the
group root, and time stamps associated with the file, and finally its name

lrwxrwxrwx tells us its a link, and after the hda1 (the file name) there is a ->
/dev/hda1 which tells us that its linked to /dev/hda1

***** Step 5, lets get our image another way.

The way above links the physical partition to the "image file" that will be
analysed by task / autopsy, anything we do to this will modify the original
item, so maybe we should actually image the partition instead of just creating a
shortcut to it. This we do using the dd command.

First we delete the symbolic link:

dindang:~ /test#  rm hda1

verify its gone....
dindang:~/test # ls
.  ..

Get some info on dd.....

dindang:~/test #  man dd

NAME
       dd - convert and copy a file

SYNOPSIS
       dd [OPTION]...

DESCRIPTION
       Copy  a  file,  converting and formatting according to the
       options.
dindang:~/test #

Run DD using the options required:

dindang:~/test #  dd if=/dev/hda1 of=/root/test/hda1

Lets verify what it's done:

dindang:~/test #
dindang:~/test # ls
.  ..  hda1
dindang:~/test #

The difference here is that this is not a link, its an actual image to work on,
and it consumes disk space etc.

***** Step 6, get help if it don't work

If you run the commands above, but it just don't happen, and you want to contact
a list, then give a bit of info about the system you run. The OS / Distribution
etc, Output above was generated on SuSE 8.0 with a custom built kernel that I
made a long time ago, hmm... don't know / can't remember the kernel? uname will
help

dindang:~ # uname -a
Linux dindang 2.4.18-4GB #1 Thu May 16 13:22:19 GMT 2002 i686 unknown

I should post that info, along with references to the SuSE 8.0 in a brief into
paragraph. Maybe theres somthing wrong with the binaries on my platform.

Also, what user are you logged in as? Do you have access to the devices as this
user? Notice I done everything as root, if I was a restricted user I could have
run into problems... (I don;t actually know for sure with the above commands,
and I dont particularly care to reboot and find out).

***** Step 7, have fun, happy sluething....

HTH,

Sid.