Home
Latest images
Search
Register
Log inCAINE 1.5 Installed and MMLS to mount NTFS image file
Page 1 of 1
CAINE 1.5 Installed and MMLS to mount NTFS image file
joetekno Tue Mar 09, 2010 8:22 pm
At some point you my want to view an operating system image file as it was as a file system. This enables quick restoration of files, string searches, e-discovery, etc. The following directions will walk you through mounting an image of an operating system so that you can quickly view it as a file system.
NOTE: If you have imaged a partition (sda1 instead of sda) you DO NOT need to find the offset and you can mount the partition to your directory structure using the following command:
[root@forensics1-desktop]# mount -t ntfs -o loop,ro /evidence/sda-img.dd /media/evidence
1. Select "Menu"... Forensic Tools... Caine Interface
2. Type your password if prompted (132456)
3. Click the "Create Report" button
4. Type your casename and Click OK
5. Type your investigator and Click OK
6. Select the "Grissom Analyzer" tab
7. Type the location of your image file (example: /evidence/sda-img.dd)
8. Click the “mmls” button
9. Document the UNITS (example: Units are in 512-byte sectors)
10. Document the start of the partition you wish to mount (example: 0000000063)
11. Multiply the start of the partition with the Units (example 63 X 512 = 32256)
12. Make a directory in /media to mount the image to. (example: /media/evidence) The offset below comes from the number you came up with in step 11.
a. Open an Command Line Window
b. Type: sudo su
c. Enter your password
d. Type: mkdir /media/evidence
e. Type: mount -t ntfs -o loop,ro,offset=32256 /evidence/sda-img.dd /media/evidence
13. Now you can us the “cd” command to view the image file’s directory structure
a. Type: cd /media/evidence
b. Type: ls
NOTE: If you have imaged a partition (sda1 instead of sda) you DO NOT need to find the offset and you can mount the partition to your directory structure using the following command:
[root@forensics1-desktop]# mount -t ntfs -o loop,ro /evidence/sda-img.dd /media/evidence
1. Select "Menu"... Forensic Tools... Caine Interface
2. Type your password if prompted (132456)
3. Click the "Create Report" button
4. Type your casename and Click OK
5. Type your investigator and Click OK
6. Select the "Grissom Analyzer" tab
7. Type the location of your image file (example: /evidence/sda-img.dd)
8. Click the “mmls” button
9. Document the UNITS (example: Units are in 512-byte sectors)
10. Document the start of the partition you wish to mount (example: 0000000063)
11. Multiply the start of the partition with the Units (example 63 X 512 = 32256)
12. Make a directory in /media to mount the image to. (example: /media/evidence) The offset below comes from the number you came up with in step 11.
a. Open an Command Line Window
b. Type: sudo su
c. Enter your password
d. Type: mkdir /media/evidence
e. Type: mount -t ntfs -o loop,ro,offset=32256 /evidence/sda-img.dd /media/evidence
13. Now you can us the “cd” command to view the image file’s directory structure
a. Type: cd /media/evidence
b. Type: ls
joetekno- Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19 -
Similar topics» Using CAINE and MMLS to mount an image of an NTFS drive
» CAINE 1.5 Installed to capture image file from CAINE 1.5 Live CD
» CAINE 1.5 Installed and .docx and .xls file conversion to .txt
» Using CAINE and Scalpel to restore .doc's from an image file
» CAINE 1.5 Installed and Galleta to extract Cookie file data
» CAINE 1.5 Installed to capture image file from CAINE 1.5 Live CD
» CAINE 1.5 Installed and .docx and .xls file conversion to .txt
» Using CAINE and Scalpel to restore .doc's from an image file
» CAINE 1.5 Installed and Galleta to extract Cookie file data
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum