LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Viewing a copy made using dd (https://www.linuxquestions.org/questions/linux-newbie-8/viewing-a-copy-made-using-dd-947882/)

liamtsw 05-31-2012 09:53 PM
Viewing a copy made using dd
 
I am a newbie when it comes to Linux. I am currently taking a class and my assignment was to download a file,evidence1.dd,an make a copy on to a flash drive using dd. I successfully made the copy and verified the hashes are the same. I set up the drive.


sudo dd if=/dev/zero of=/dev/sdb bs=8192
sudo dd if=evidence1.dd of=/dev/sdb1 bs=8192
sudo dd if=/dev/sdb1 of=sweeney.case01.dd bs=8192
sudo sha1sum /dev/sdb1 sweeney.case01.dd

My question is how do I view the files on the flash drive ? I am sure its simple to most of you. Like I said I am new and I have been trying to figure it out on my own but I could use some help. Thanks in advance.

Tinkster 05-31-2012 10:08 PM
Hi, welcome to LQ!

There's a few unnecessary steps in there, really, you could have
just copied evidence1.dd to sweeney.case01.dd using
cp evidence1.dd sweeney.case01.dd

And then you could use mounting the image via loopback to see
the files in/on the image.

From man mount
Code:
THE LOOP DEVICE
      One further possible type is a mount via the loop device. For example, the command

        mount /tmp/fdimage /mnt -t vfat -o loop=/dev/loop3

      will set up the loop device /dev/loop3 to correspond to the file /tmp/fdimage, and then mount this device on /mnt.

      This type of mount knows about four options, namely loop, offset, sizelimit and encryption, that are really options  to  losetup(8).
      If  the mount requires a passphrase, you will be prompted for one unless you specify a file descriptor to read from instead with the
      --pass-fd option.  (These options can be used in addition to those specific to the filesystem type.)

      If no explicit loop device is mentioned (but just an option `-o loop' is given), then mount will try to find some unused loop device
      and use that.

      Since Linux 2.6.25 is supported auto-destruction of loop devices and then any loop device allocated by mount will be freed by umount
      independently on /etc/mtab.

      You can also free a loop device by hand, using `losetup -d' or `umount -d`.

Cheers,
Tink

liamtsw 05-31-2012 11:13 PM
Tinkster,
I tried your solution and the results were:


sudo mount /dev/sda /mnt -t vfat -o loop=/dev/loop3[sudo]
password for liam:

mount: wrong fs type, bad option, bad superblock on /dev/loop3,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so

Tinkster 06-01-2012 12:00 AM
That's not "my solution", that's reading material that's meant to give you
an idea of how one goes about mounting a loop-back device, quoting mounts
man-pages.


What you want to do is something like this:
sudo mount sweeney.case01.dd /mnt/ -t vfat -o loop=/dev/loop3
which may or may not work ... depending on whether mount is in use
in other ways.

You may want to create a separate mount-point instead, e.g.:
sudo mkdir /mnt/loop3
and then
sudo mount sweeney.case01.dd /mnt/loop3 -t vfat -o loop=/dev/loop3


If the first step fails w/ an error don't run the second.

Cheers,
Tink

allend 06-01-2012 12:31 AM
Quote:
sudo dd if=/dev/zero of=/dev/sdb bs=8192
The above command has blanked the entire flash drive including track 0 that contains the partition table. If that was not your intention, then you will need to reformat the flash drive.
Perhaps you intended to merely blank the first partition, in which case the command is:
Code:
sudo dd if=/dev/zero of=/dev/sdb1 bs=8192
This is correct if evidence1.dd is a partition image.
Quote:
sudo dd if=evidence1.dd of=/dev/sdb1 bs=8192
If evidence.dd contains a dd image that includes track 0 information, then the command should be
Code:
sudo dd if=evidence1.dd of=/dev/sdb bs=8192
Quote:
sudo mount /dev/sda /mnt -t vfat -o loop=/dev/loop3
Your flash drive device is /dev/sdb and not /dev/sda

If evidence1.dd is a partition image on /dev/sdb1 then
Code:
sudo mount /dev/sdb1 /mnt -o loop
You should not need to specify the type, as mount can determine this.
If evidence1.dd contains track 0 information, then you will need an offset option (typically offset=32256 where 32256=63 sectors times 512 bytes/sector).
Code:
sudo mount /dev/sdb /mnt -o loop,offset=32256

liamtsw 06-01-2012 12:36 AM
Thanks for the help.This time I put

sudo mkdir /mnt/loop3
sudo mount sweeney.case01.dd /mnt/loop3 -t vfat -o loop=/dev/loop3



It is mounted now so thank you, for some reason I thought I would be able to see and open the files. Like I said I am new to Linux so thanks for your patience.
I did run

sudo xxd sweeney.case01.dd | less

and the result was this is not a bootable disk. please insert a bootable floppy and press any key.

From this I was able to identify 4 txt files and 4 jpeg files. which is all I needed to know for this part of my class. I just wanted to view the files and jpeg for my own curiosity and still do.

Tinkster 06-01-2012 12:53 AM
Quote:
Originally Posted by liamtsw (Post 4692575)
Thanks for the help.This time I put

sudo mkdir /mnt/loop3
sudo mount sweeney.case01.dd /mnt/loop3 -t vfat -o loop=/dev/loop3



It is mounted now so thank you, for some reason I thought I would be able to see and open the files. Like I said I am new to Linux so thanks for your patience.
I did run

sudo xxd sweeney.case01.dd | less

and the result was this is not a bootable disk. please insert a bootable floppy and press any key.


From this I was able to identify 4 txt files and 4 jpeg files. which is all I needed to know for this part of my class. I just wanted to view the files and jpeg for my own curiosity and still do.
If you describe your working environment (cli, gui) you may yet be able to.

If you see the files as such you should be able to view them.

cd /mnt/loop3
less textfile_to_view

liamtsw 06-01-2012 08:39 AM
Thanks for all your help. I learned a lot. I was able to open the files unfortunately the were all in binary.I really do appreciate your time and patience.

schneidz 06-01-2012 10:45 AM
what is evidence1.dd ? please run
Code:
file evidence1.dd
and share the results with us.

jefro 06-01-2012 11:40 AM
I got really confused in all of this.

Why didn't you dd the file to a flash drive?

What did you mean you verified the hashes? How did you do that?

liamtsw 06-01-2012 01:00 PM
I ran evidence1.dd and

evidence1.dd: DOS floppy 1440k, x86 hard disk boot sector

I did image onto a flashdrive , jefro. Sorry for the confusion. I am taking a digital forensics class online and I`m out of my element. This was my first assignment, so i will have more questions. The assignment was simple download a file, evidence1.dd, and make a image onto the flash drive.then I was to verify the image by comparing the hashes, I used sudo sha1sum /dev/sdb1 sweeney.case01.dd, it showed me the orignal file i downloaded and the image were an exact copy nothing had been changed.I also have to type of reports of my findings. The assignment did not call for me to view the contents of the files , I was curious and wanted to know how to do this so I joined this forum and post a question. Thats basically it. thats for eveyones patience with me i know it can be frustrating at times because of my lack of Linux experience.


All times are GMT -5. The time now is 10:19 PM.