Thread: RE: [sleuthkit-users] Mounting a dd image under windows
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: OFD L. S. D. <DSc...@of...> - 2005-06-13 06:41:08
|
>Hi Guys, Hi, >slightly off topic but does anyone know of a utility >that will mount a dd image under windows xp. Try FileDisk (http://www.acc.umu.se/%7Ebosse/) Dennis |
|
From: Altheide, C. B. (IARC) <Alt...@nv...> - 2005-06-13 17:24:49
|
Hi - I'd be interested in either one (or both) of you explaining how you are currently mounting raw disk images under Windows using Cygwin. Thanks - Cory Altheide Senior Network Forensics Specialist NNSA Information Assurance Response Center (IARC) alt...@nv... "I have taken all knowledge to be my province." -- Francis Bacon > -----Original Message----- > From: sle...@li... > [mailto:sle...@li...] On > Behalf Of youcef bichbiche > Sent: Saturday, June 11, 2005 4:23 PM > To: sle...@li... > Subject: Re: [sleuthkit-users] Mounting a dd image under windows > > > Try Cygwin. it supports Sleuthkit too. > > --- esrkq yahoo <es...@ya...> wrote: > > > Hi Guys, > > slightly off topic but does anyone know of a utility > > that will mount a dd image under windows xp. |
|
From: youcef b. <ybi...@ya...> - 2005-06-13 23:48:47
|
Hi, It uses the concept of a loopback device, which allows to mount a file system within an image file. to do that you use the mount command with the loop option to indicate that you want to use the loop device to mount the file system within the image, and you specifiy a disk image rather than a disk device. Example: mount -t vfat -o ro,noexec,loop image.disk1 /mnt/analysis --- "Altheide, Cory B. (IARC)" <Alt...@nv...> wrote: > Hi - > > I'd be interested in either one (or both) of you > explaining how you are > currently mounting raw disk images under Windows > using Cygwin. > > Thanks - > > Cory Altheide > Senior Network Forensics Specialist > NNSA Information Assurance Response Center (IARC) > alt...@nv... > "I have taken all knowledge to be my province." -- > Francis Bacon > > > -----Original Message----- > > From: sle...@li... > > > [mailto:sle...@li...] > On > > Behalf Of youcef bichbiche > > Sent: Saturday, June 11, 2005 4:23 PM > > To: sle...@li... > > Subject: Re: [sleuthkit-users] Mounting a dd image > under windows > > > > > > Try Cygwin. it supports Sleuthkit too. > > > > --- esrkq yahoo <es...@ya...> wrote: > > > > > Hi Guys, > > > slightly off topic but does anyone know of a > utility > > > that will mount a dd image under windows xp. > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: NEC IT Guy Games. > How far can you shotput > a projector? How fast can you ride your desk chair > down the office luge track? > If you want to score the big prize, get to know the > little guy. > Play to win an NEC 61" plasma display: > http://www.necitguy.com/?r=20 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > ___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com |
|
From: Altheide, C. B. (IARC) <Alt...@nv...> - 2005-06-14 00:21:59
|
> -----Original Message-----
> From: youcef bichbiche [mailto:ybi...@ya...]
> Sent: Monday, June 13, 2005 4:49 PM
> To: Altheide, Cory B. (IARC); sle...@li...
> Cc: 'ro...@mo...'
> Subject: RE: [sleuthkit-users] Mounting a dd image under windows
>
>
> Hi,
> It uses the concept of a loopback device, which allows
> to mount a file system within an image file.
Not in Cygwin it doesn't.
> to do that you use the mount command with the loop
> option to indicate that you want to use the loop
> device to mount the file system within the image, and
> you specifiy a disk image rather than a disk device.
>
> Example:
>
> mount -t vfat -o ro,noexec,loop image.disk1
> /mnt/analysis
Previously I specifically asked you to explain "how you are currently
mounting raw disk images unders Windows using Cygwin."
This answer confirms my suspicions that you are currently not doing this /at
all/.
Your command:
"mount -t vfat -o ro,noexec,loop image.disk1 /mnt/analysis"
has several problems. The -t option in Cygwin mount doesn't take arguments
- it gives text files under that mountpoint CRLF endings (Windows style).
The -o option doesn't take any of the three arguments passed above.
From the man page for Cygwin's mount:
"The -o option is the method via which various options about the mount
point may be recorded. The following options are available (note that most
of the options are duplicates of other mount flags):
user - mount lives user-specific mount
system - mount lives in system table (default)
binary - files default to binary mode (default)
text - files default to CRLF text mode line endings
exec - files below mount point are all executable
notexec - files below mount point are not executable
cygexec - files below mount point are all cygwin executables
nosuid - no suid files are allowed (currently unimplemented)
managed - directory is managed by cygwin. Mixed case and special
characters in filenames are allowed."
Finally, Cygwin mount is expecting a win32 style path where you have the
"image.disk1" argument.
The extent of use of the Cygwin mount command is mapping Win32 paths to
POSIX style paths, for example:
"mount c:\foo\bar /foo/bar"
So, I ask again, how you are currently mounting raw disk images unders
Windows using Cygwin?
To answer the original poster, the only tool I've actually seen used on
Windows to do this is Mount Image Pro:
http://www.mountimage.com/
Although the aforementioned FileDisk appears interesting.
Cory Altheide
Senior Network Forensics Specialist
NNSA Information Assurance Response Center (IARC)
alt...@nv...
"I have taken all knowledge to be my province." -- Francis Bacon
> --- "Altheide, Cory B. (IARC)" <Alt...@nv...>
> wrote:
>
> > Hi -
> >
> > I'd be interested in either one (or both) of you
> > explaining how you are
> > currently mounting raw disk images under Windows
> > using Cygwin.
> >
> > Thanks -
> >
> > Cory Altheide
> > Senior Network Forensics Specialist
> > NNSA Information Assurance Response Center (IARC)
> > alt...@nv...
> > "I have taken all knowledge to be my province." --
> > Francis Bacon
> >
> > > -----Original Message-----
> > > From: sle...@li...
> > >
> > [mailto:sle...@li...]
> > On
> > > Behalf Of youcef bichbiche
> > > Sent: Saturday, June 11, 2005 4:23 PM
> > > To: sle...@li...
> > > Subject: Re: [sleuthkit-users] Mounting a dd image
> > under windows
> > >
> > >
> > > Try Cygwin. it supports Sleuthkit too.
> > >
> > > --- esrkq yahoo <es...@ya...> wrote:
> > >
> > > > Hi Guys,
> > > > slightly off topic but does anyone know of a
> > utility
> > > > that will mount a dd image under windows xp.
> >
> >
> >
> >
> -------------------------------------------------------
> > This SF.Net email is sponsored by: NEC IT Guy Games.
> > How far can you shotput
> > a projector? How fast can you ride your desk chair
> > down the office luge track?
> > If you want to score the big prize, get to know the
> > little guy.
> > Play to win an NEC 61" plasma display:
> > http://www.necitguy.com/?r=20
> > _______________________________________________
> > sleuthkit-users mailing list
> >
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
> >
>
>
>
>
>
>
> ___________________________________________________________
> Yahoo! Messenger - NEW crystal clear PC to PC calling
> worldwide with voicemail http://uk.messenger.yahoo.com
>
|
|
From: Bob O. <ro...@ec...> - 2005-06-15 03:07:27
|
This is to post my objection to the tone and intent of this email, which I do not believe follows the spirit or intent of information exchange on sourceforge. The correction of a fellow posters mistake could be done in an academic format by presenting the contrary supporting information. It does not require an accusatory reprimand such as this email contains and which I find offensive. Altheide, Cory B. (IARC) wrote: -snip- > Not in Cygwin it doesn't. > -snip- > > Previously I specifically asked you to explain "how you are currently > mounting raw disk images unders Windows using Cygwin." > > This answer confirms my suspicions that you are currently not doing this /at > all/. -snip- > So, I ask again, how you are currently mounting raw disk images unders Windows using Cygwin? |
|
From: <ro...@mo...> - 2005-06-15 08:09:31
|
Hello, Wow, maybe there was a language problem on my side. Sorry for that. Here's the full version. I use cygwin to load dd images into the sleutkit to make timelines etc. and use mountimagepro to virtually mount dd images for virusscanning etc. I believe that paragon mount everything is also capable of doing so. Mounting dd images in cygwin like mountimage or in linux cannot be done to my knowledge. Hope this helps. > This is to post my objection to the tone and intent of this email, which > I do not believe follows the spirit or intent of information exchange on > sourceforge. The correction of a fellow posters mistake could be done > in an academic format by presenting the contrary supporting information. > It does not require an accusatory reprimand such as this email contains > and which I find offensive. > > Altheide, Cory B. (IARC) wrote: > > -snip- > > Not in Cygwin it doesn't. > > > -snip- > > > > Previously I specifically asked you to explain "how you are currently > > mounting raw disk images unders Windows using Cygwin." > > > > This answer confirms my suspicions that you are currently not doing this /at > > all/. > > -snip- > > > So, I ask again, how you are currently mounting raw disk images unders > Windows using Cygwin? |
|
From: Matthew G. <mg...@co...> - 2005-06-15 12:14:24
|
Hi Bob, Bob Older wrote: >This is to post my objection to the tone and intent of this email, which >I do not believe follows the spirit or intent of information exchange on >sourceforge. I think the spirit and intent of this list is to exchange accurate technical information in a field where accuracy is paramount. Bad information -- and by that I mean misleading, untested or speculative information that isn't clearly flagged as such -- is worse than no information. If I post based on something my friend's cousin heard in a bar once, I have an obligation to differentiate it from first-hand knowledge. Cory's responses provided alternative advice for the original poster and corrected bad information. I'm surprised you found anything about his actions offensive. Regards, Matthew Geiger |
|
From: Altheide, C. B. (IARC) <Alt...@nv...> - 2005-06-15 16:46:56
|
> -----Original Message----- > From: Bob Older [mailto:ro...@ec...] > Sent: Tuesday, June 14, 2005 8:07 PM > To: Altheide, Cory B. (IARC) > Cc: 'youcef bichbiche'; > sle...@li...; ro...@mo... > Subject: Re: [sleuthkit-users] Mounting a dd image under windows > > This is to post my objection to the tone and intent of this > email, which I do not believe follows the spirit or intent of > information exchange on sourceforge. The correction of a > fellow posters mistake could be done in an academic format by > presenting the contrary supporting information. It does not > require an accusatory reprimand such as this email contains > and which I find offensive. If a mistake were present, I would have been happy to correct it an an "academic format." An opportunity was given (in the mail I sent previous to this) for the poster to correct any "mistakes" or "mistatements." Said poster then used this opportunity to continue to spread misinformation. I have no tolerance for blatant falsehoods. To summarize: Don't assert BS as fact and expect a gentle correction. Cory Altheide Senior Network Forensics Specialist NNSA Information Assurance Response Center (IARC) alt...@nv... "I have taken all knowledge to be my province." -- Francis Bacon |
|
From: Altheide, C. B. (IARC) <Alt...@nv...> - 2005-06-15 16:48:51
|
> -----Original Message----- > From: ro...@mo... [mailto:ro...@mo...] > Sent: Wednesday, June 15, 2005 1:09 AM > To: Bob Older; Altheide, Cory B. (IARC); 'youcef bichbiche'; > sle...@li...; ro...@mo... > Subject: Re: [sleuthkit-users] Mounting a dd image under windows > > Hello, > > Wow, maybe there was a language problem on my side. Sorry for > that. It happens. ;) > Here's the full version. I use cygwin to load dd images > into the sleutkit to make timelines etc. and use > mountimagepro to virtually mount dd images for virusscanning > etc. The "MountImage Pro" part is a pretty important ingredient given the original poster's recipe. :) > I believe that paragon mount everything is also capable > of doing so. Mounting dd images in cygwin like mountimage or > in linux cannot be done to my knowledge. That's my understanding as well, hence my original shock and awe at the possibility that it could be. Cory Altheide Senior Network Forensics Specialist NNSA Information Assurance Response Center (IARC) alt...@nv... "I have taken all knowledge to be my province." -- Francis Bacon |
|
From: youcef b. <ybi...@ya...> - 2005-06-15 22:46:37
|
Mr Altheide, There is always a limit of how you express your frustration. Surely accusing my contribution, which was purely meant to be a help and a pointer, as blatant, misleading, etc, is something that I DONT ACCEPT. You have all right to reject it, but dont get personal. Also, reading you latest comment I felt like I am listening to Donald Ramsfield IRAQs motto Show and awe !!!? please dont over exaggerate. Now to clarify my posting: I used mounted images under Linux, thats why I thought the fact I can use it under Linux you can do so under Cygwin. I didnt try it under cygwin, and that was my mistake, I shouldnt assume it will work. As for what you believe, I can only tell you this (hoping you accept this kindly without firing on me): I cannot deny something Ive done, have seen, and have touched. To inquire how its possible to do it, the person in charge not my friend in the local pub told me this: - Use the enhanced loopback driver developed by NASA Computer Crimes Division: ftp://ftp.hq.nasa.gov/pub/ig/ccd/enhanced_loopback/ - In case you dont want to screw up the kernel follow this guide: http://www.crazytrain.com/monkeyboy/FSK.pdf This is not first-hand information, but I trust the source. Again, the intention is to help you not to mislead, misinform, shock, awe, etc. Regards Youcef --- "Altheide, Cory B. (IARC)" <Alt...@nv...> wrote: > > -----Original Message----- > > From: ro...@mo... [mailto:ro...@mo...] > > > Sent: Wednesday, June 15, 2005 1:09 AM > > To: Bob Older; Altheide, Cory B. (IARC); 'youcef > bichbiche'; > > sle...@li...; > ro...@mo... > > Subject: Re: [sleuthkit-users] Mounting a dd image > under windows > > > > Hello, > > > > Wow, maybe there was a language problem on my > side. Sorry for > > that. > > It happens. ;) > > > Here's the full version. I use cygwin to load dd > images > > into the sleutkit to make timelines etc. and use > > mountimagepro to virtually mount dd images for > virusscanning > > etc. > > The "MountImage Pro" part is a pretty important > ingredient given the > original poster's recipe. :) > > > I believe that paragon mount everything is also > capable > > of doing so. Mounting dd images in cygwin like > mountimage or > > in linux cannot be done to my knowledge. > > That's my understanding as well, hence my original > shock and awe at the > possibility that it could be. > > Cory Altheide > Senior Network Forensics Specialist > NNSA Information Assurance Response Center (IARC) > alt...@nv... > "I have taken all knowledge to be my province." -- > Francis Bacon > > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux > Migration Strategies > from IBM. Find simple to follow Roadmaps, > straightforward articles, > informative Webcasts and more! Get everything you > need to get up to > speed, fast. > http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > ___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com |
|
From: Altheide, C. B. (IARC) <Alt...@nv...> - 2005-06-15 23:03:54
|
> -----Original Message----- > From: youcef bichbiche [mailto:ybi...@ya...] > Sent: Wednesday, June 15, 2005 3:46 PM > To: Altheide, Cory B. (IARC); 'ro...@mo...'; > sle...@li... > Subject: RE: [sleuthkit-users] Mounting a dd image under windows > > There is always a limit of how you express your > frustration. You don't know me very well. ;) > Surely accusing my contribution, which was purely > meant to be a help and a pointer, A pointer in the *wrong direction* isn't helpful, no matter the intentions. If someone stops you on the street and says "Do you know the way to XYZ street?" do you say "oh, I've been to a 123 street before, I'll tell him how to get there!" or do you respond "Sorry, I don't know"? ... > Now to clarify my posting: > > I used mounted images under Linux, that's why I > thought the fact I can use it under Linux you can do > so under Cygwin. I didn't try it under cygwin, and > that was my mistake, I shouldn't assume it will work. Moreover, one should never state untested assertion as fact. That'd be fine if this was the "making stuff up" list, but it's not - it's a list for users of *forensic utilities*. Far too often the "forensic community" fails to perform the most basic tasks required of it. 1) Test 2) Verify 3) Assert You don't have to be right - just don't be *wrong*. > I cannot deny something I've done, have seen, and have > touched. To inquire how it's possible to do it, the > person in charge "not my friend in the local pub" told > me this: > > - Use the enhanced loopback driver developed by NASA > Computer Crimes Division: > ftp://ftp.hq.nasa.gov/pub/ig/ccd/enhanced_loopback/ "linux-2.4.28-enhanced_loop.tar.gz" The enhanced *LINUX* loopback driver. Which works great. In Linux. Which Cygwin is not. -- Cory |
|
From: Thomas S. <tu...@gm...> - 2005-06-15 13:56:31
|
> Try FileDisk (http://www.acc.umu.se/%7Ebosse/) Filedisk works perfect, but only with _partitions_, so you'll have to extract the partitions of your image (again with dd). There are other tools to mount or at least read other linux-filesystems and images like reiserfs under windows. -- Grüße, Thomas Springer IT-Security TÜV Informatik und Consulting Services Unternehmensgruppe TÜV Süddeutschland Westendstrasse 199 80686 München Tel: 089/5791-2069 Fax: 089/5791-1355 E-Mail: tho...@tu... ---- The only thing worse than criminally bad perl is reinventing the wheel. |
|
From: Guido M. <gui...@ya...> - 2005-06-16 05:27:20
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks Thomas, I work often with dd images and so I have mark this thread in expectation of a good answer and resolving. Unforunately is it something difficult to find a answer of the question from Patrick here, because the most answers here are not reffering to the topic... ;-) So I even more happy as I found today your post. I will try out your hint immediately. Regards Guido PS: Sorry for my bad english, I use "Babylon" ;-) Thomas Springer schrieb: >> Try FileDisk (http://www.acc.umu.se/%7Ebosse/) > > > Filedisk works perfect, but only with _partitions_, so you'll have to extract the partitions of your image (again with dd). > There are other tools to mount or at least read other linux-filesystems and images like reiserfs under windows. > - -- - ----------------------------------------------------- Guido Metzner "Software is like sex, it's better, when it's free." Linus Torvalds Email: gui...@ya... ICQ : 113662639 URL : http://www.guframe.de - ----------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCsQ3OwFCOldQoJ1sRAns5AJ95fnqe6CgJ8eJab5AvGBypclPwSwCcC/ut pzJS/QcYxnNADg/8ek05PtA= =MuQF -----END PGP SIGNATURE----- ___________________________________________________________ Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de |
Thanks for helping keep SourceForge clean.
X