Re: [sleuthkit-users] RE: Problem adding image
Brought to you by:
carrier
From: Silent P. <sp...@si...> - 2003-03-07 21:09:19
|
Quoting: "Brian Carrier": > > ln -s /dev/hda1 /home/niallc/Desktop/Locker/Thismachine/WIN2000/images > > > > and > > > > ln -s /dev/hda1 /home/niallc/Desktop/Locker//Thismachine/WIN2000/images > > > > I entered both exactly as typed above. In both cases when I hit refresh > > there was no sign of my link/image. > > > What does > > ls -l /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1 > > show? Here is a step by step guide to achieve what you are trying to achieve, and verify as you are going along, composed in mini-howto style: ***** Step 1, use the GUI, but empower yourself with the command line I login to my linux box, and I bring up an xterm / "command prompt" and I get: dindang:~ # ***** Step 2, know your hard disk. I know that there is an IDE hard disk in my machine that contains a partition which I would like to analyse, to get more info, I examine what the kernel knows about IDE hard disks in my machine, and I already know they get mounted as /dev/hd??? so I use the dmesg command, I can use the man command to find out more about dmesg: dindang:~ # man dmesg NAME dmesg - print or control the kernel ring buffer SYNOPSIS dmesg [ -c ] [ -n level ] [ -s bufsize ] DESCRIPTION dmesg is used to examine or control the kernel ring buffer. The program helps users to print out their bootup mes sages. Instead of copying the messages by hand, the user need only: dmesg > boot.messages and mail the boot.messages file to whoever can debug their problem. Basically at boot / start of any system device will result in a message being posted to the kernel ring buffer, you hotplug a USB device, what the kernel does with it gets noted here.... so we are looking for kernel messages relating to hda or if it was a scsi disk we would have used sda etc. Dmesg on its own will give back a lot of information, but I will pipe the output of it using | into the grep command which I will use to filter for hda dindang:~ # dmesg | grep hda ide0: BM-DMA at 0xfcd0-0xfcd7, BIOS settings: hda:pio, hdb:pio hda: IC25N020ATCS04-0, ATA DISK drive hda: safely enabled flush hda: 39070080 sectors (20004 MB) w/1768KiB Cache, CHS=41344/15/63, UDMA(33) hda: hda1 hda2 hda3 hda4 I could have just searched for hda1 and got: dindang:~ # dmesg | grep hda1 hda: hda1 hda2 hda3 hda4 But basically I know from the above that there is a drive on my system mounted as hda and it has 4 partitions, hda1-4 To find out whats in thos partitions use fdisk: dindang:~ # fdisk Usage: fdisk [-l] [-b SSZ] [-u] device E.g.: fdisk /dev/hda (for the first IDE disk) or: fdisk /dev/sdc (for the third SCSI disk) or: fdisk /dev/eda (for the first PS/2 ESDI drive) or: fdisk /dev/rd/c0d0 or: fdisk /dev/ida/c0d0 (for RAID devices) ... Woops! I forgot that I must specify a paramater, the parameter must be a device, not a partition, so /dev/hda1 can't be fdisked becuase its not a disk, but /dev/hda can: dindang:~ # fdisk /dev/hda The number of cylinders for this disk is set to 41344. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): p Disk /dev/hda: 15 heads, 63 sectors, 41344 cylinders Units = cylinders of 945 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 19672 9294988+ c Win95 FAT32 (LBA) /dev/hda2 * 19673 19714 19845 83 Linux /dev/hda3 19715 20795 510772+ 82 Linux swap /dev/hda4 20796 41344 9709402+ 83 Linux Command (m for help): q dindang:~ # From this I can see that /dev/hda1 is the windows partition using a FAT32 filesystem, and this I want to analyse / play with! ***** Step 3, checkout your current directory. first I check to see where I am, this is important because all operations that I do will take place wherever I am, unless I fully qualify the paths. I check this with the print working directory command: dindang:~ # pwd /root dindang:~ # I am currently in /root, and lets see what I've got here, do a directory listing: dindang:~ # dindang:~ # dindang:~ # ls . .bash_history .jbuilder4 .qt .w3m Desktop .. .exrc .kde .skel .wmrc KDesktop .ICEauthority .gnupg .mcop .ssh .xinitrc bin .Xauthority .gtkrc-kde .mcoprc .viminfo .xsession-errors lucent dindang:~ # Now I am going to make a directory test, this is to hold my "images", and is the equivalent of the task / autopsy image hold directory: dindang:~ # dindang:~ # mkdir test dindang:~ # Now, it makes sense to VERIFY what you've done, so do another directory listing: dindang:~ # ls . .exrc .mcop .viminfo Desktop .. .gnupg .mcoprc .w3m KDesktop .ICEauthority .gtkrc-kde .qt .wmrc bin .Xauthority .jbuilder4 .skel .xinitrc lucent .bash_history .kde .ssh .xsession-errors test Yes, test is there, its in the list, lets see whats in the directory test: dindang:~ # ls test . .. dindang:~ # just . and .. which are direcory navigation stubs, so the directory is empty. dindang:~ # ln -s /dev/hda1 /root/test dindang:~ # ls test . .. hda1 dindang:~ # cd test dindang:~/test # ls -l total 8 drwxr-xr-x 2 root root 4096 Mar 7 20:03 . drwx------ 15 root root 4096 Mar 7 20:03 .. lrwxrwxrwx 1 root root 9 Mar 7 20:03 hda1 -> /dev/hda1 dindang:~/test # ***** Step 4, Link the partition you want to analyse into the "hold" directoy To do this, we use the ln command, its the equivalent of making an alias to somthing on a mac or a shortcut to somthing in windows. first a little info on the ln command: dindang:~/test # man ln NAME ln - make links between files SYNOPSIS ln [OPTION]... TARGET [LINK_NAME] ln [OPTION]... TARGET... DIRECTORY ln [OPTION]... --target-directory=DIRECTORY TARGET... DESCRIPTION Create a link to the specified TARGET with optional LINK_NAME. If LINK_NAME is omitted, a link with the same basename as the TARGET is created in the current direc tory. When using the second form with more than one TAR GET, the last argument must be a directory; create links in DIRECTORY to each TARGET. Create hard links by default, symbolic links with --symbolic. When creating hard links, each TARGET must exist. Btw.... I'm deliberately not showing all the info that man throws back, try the command youself to get the full picture. Next I will link /dev/hda1 into /root/test using the ln command: dindang:~ # ln -s /dev/hda1 /root/test Now if I do a directory listing of test: dindang:~ # ls test . .. hda1 dindang:~ # I can see that along with the navigation stubs, there is somthing called hda1 in there. Lets change our working directory from /root into /root/test and see more whats in there: dindang:~ # cd test dindang:~/test # ls -l total 8 drwxr-xr-x 2 root root 4096 Mar 7 20:03 . drwx------ 15 root root 4096 Mar 7 20:03 .. lrwxrwxrwx 1 root root 9 Mar 7 20:03 hda1 -> /dev/hda1 dindang:~/test # The output of the ls -l tells us quite a bit: drwxr-xr-x tells us that entry is a directory, it belongs to user root in the group root, and time stamps associated with the file, and finally its name lrwxrwxrwx tells us its a link, and after the hda1 (the file name) there is a -> /dev/hda1 which tells us that its linked to /dev/hda1 ***** Step 5, lets get our image another way. The way above links the physical partition to the "image file" that will be analysed by task / autopsy, anything we do to this will modify the original item, so maybe we should actually image the partition instead of just creating a shortcut to it. This we do using the dd command. First we delete the symbolic link: dindang:~ /test# rm hda1 verify its gone.... dindang:~/test # ls . .. Get some info on dd..... dindang:~/test # man dd NAME dd - convert and copy a file SYNOPSIS dd [OPTION]... DESCRIPTION Copy a file, converting and formatting according to the options. dindang:~/test # Run DD using the options required: dindang:~/test # dd if=/dev/hda1 of=/root/test/hda1 Lets verify what it's done: dindang:~/test # dindang:~/test # ls . .. hda1 dindang:~/test # The difference here is that this is not a link, its an actual image to work on, and it consumes disk space etc. ***** Step 6, get help if it don't work If you run the commands above, but it just don't happen, and you want to contact a list, then give a bit of info about the system you run. The OS / Distribution etc, Output above was generated on SuSE 8.0 with a custom built kernel that I made a long time ago, hmm... don't know / can't remember the kernel? uname will help dindang:~ # uname -a Linux dindang 2.4.18-4GB #1 Thu May 16 13:22:19 GMT 2002 i686 unknown I should post that info, along with references to the SuSE 8.0 in a brief into paragraph. Maybe theres somthing wrong with the binaries on my platform. Also, what user are you logged in as? Do you have access to the devices as this user? Notice I done everything as root, if I was a restricted user I could have run into problems... (I don;t actually know for sure with the above commands, and I dont particularly care to reboot and find out). ***** Step 7, have fun, happy sluething.... HTH, Sid. |