dd and mount command
 

Hi,
I made an image with this command in Fedora:
"dd if=/dev/sda of=/home/image.dd"
Are all my memory data in this image?
Can I mount it and investigate it with TSK?
I want to mount it with this command:
"mount /home/image.dd /mnt/tmp "
but it says "cannot determine filesystem type".
what should I do? Did I created image from correct file?
Thanks

I am not really sure how this is a security question, but ...

The dd command you referenced will make an image of the entire drive named sda, which can be used to restore the drive using the dd command in reverse. This is a sector by sector copy of the drive but the image file is not a natively mountable device. Your question made me curious about this subject and a quick search for the terms 'linux mount dd image' brought up several promising links, including this one. Several of the links mention the need to account for a starting offset to be able to mount the image. It has been several years since I studied file system and drive layout but from what I recall, there are some initial portions of the drive that aren't part of the partition and these would need to be skipped.

not sure what tsk is but what that seems to be is a image of a disk (boot sector, partition table, partitions). there are ways to mount the partitions inside of it but it is complex.

seems like you wanted to image the partitions only like so:use the file command to determine if your images are disks or partitions.

TSK stands for The Sleuthkit, which builds on TCT (The Coroner's Toolkit). Other OSS frameworks forensics practitioners could use would be pyFLAG (Forensic and Log Analysis GUI) or OCFA (Open Computer Forensics Architecture) to name two.


'kpartx' was mentioned on LQ since 2006 (only in 2008 in conjunction with mounting partitions) ;-p


No. For that you would needed to have a LKM loaded beforehand (let's not talk about hardware capture devices).


Sure, easiest using TSK's companion app Autopsy.