Re: [sleuthkit-users] XFS image file analysis

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Exactly!  Without going too far off topic, here's a sample image with
an XFS partition at byte offset 16065.  You can use mmls to find the
offset of the partition, crudely confirm that the partition is XFS
using dd, then mount it with the appropriate offset.  This should be
enough to get you going.

$ mmls /tmp/bleck.img
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000000062   0000000063   Unallocated
02:  00:00   0000000063   0000016064   0000016002   Linux (0x83)
03:  00:01   0000016065   0000079999   0000063935   Linux (0x83)

$ dd if=/tmp/bleck.img skip=16065 count=1 | hexdump -C
1+0 records in
1+0 records out
512 bytes (512 B) copied00000000  58 46 53 42 00 00 10 00  00 00 00 00
00 00 1f 37  |XFSB...........7|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  90 d9 91 d9 e7 e7 45 44  ba b1 f8 91 a3 2c e3 63  |......ED.....,.c|
00000030  00 00 00 00 00 00 00 04  00 00 00 00 00 00 4b 80  |..............K.|
00000040  00 00 00 00 00 00 4b 81  00 00 00 00 00 00 4b 82  |......K.......K.|
00000050  00 00 00 01 00 00 1f 37  00 00 00 01 00 00 00 00  |.......7........|
00000060  00 00 04 b0 b4 a4 02 00  01 00 00 10 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00  0c 09 08 04 0d 00 00 19  |................|
00000080  00 00 00 00 00 00 00 40  00 00 00 00 00 00 00 3d  |.......@.......=|
00000090  00 00 00 00 00 00 1a 7f  00 00 00 00 00 00 00 00  |................|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000b0  00 00 00 00 00 00 00 02  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 01  00 00 00 0a 00 00 00 0a  |................|
000000d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000200

$ sudo mount -t xfs -o ro,loop,offset=$((16065*512)) /tmp/bleck.img /mnt
$ ls /mnt
this-is-a-test.txt

RB's suggestion of using the loopback is also a good idea.  You can
setup a loopback device at the appropriate offset, then use the
loopback device for further processing.

$ sudo /sbin/losetup -o $((16065*512)) /dev/loop0 /tmp/bleck.img
$ sudo xfs_ncheck /dev/loop0
      19332 this-is-a-test.txt
$ sudo mount /dev/loop0 /mnt
$ ls /mnt
this-is-a-test.txt

Derrick

On Tue, Dec 4, 2012 at 9:51 PM, RB <ao...@gm...> wrote:
> On Tue, Dec 4, 2012 at 9:36 PM, Sagar Belure <sag...@gm...> wrote:
>> Yes. But that would require <device> as a parameter not image file.
>> I don't have hard disk but hard disk image.
>
> You can handle that either by using 'losetup' to set up a loopback
> block device at a specific offset in your image file, or use the '-o
> loop,offset=XYZ' option to 'mount', which does the same thing.
> Mounting an image "-o loop,offset=XYZ" just runs losetup in the
> background, and all losetup is doing in this case is creating a
> convenience mapping - you tell it that a block device you want to
> handle is at byte offset XYZ in the image and it will transparently
> translate all accesses to start at that address.
>
>> I'm not really sure how do operate on XFS filesystem image file.
>
> See above, unless you imaged the XFS filesystem with "xfsdump".