Linux: Mounting by First Extracting the Partition

You can use dd to extract the partition of interest manually and then mount it via loopback. Again, the assumption of 512 bytes per sector is assumed here. As explained in Brian Carrier’s March 15th Sleuth Kit Informer column, Splitting The Disk, we can pass dd the starting sector of the partition in question and calculate the size and allow it to extract it for us. For example, let’s extract my ext3 partition, then mount it on loopback.

We pass dd bytes at a time size (bs option) of 512. Next, we pass it the starting sector of my ext3 partition from the fdisk output above, 7695198, as the number of blocks to skip ahead in the image. Last, we calculate the size as explained in the Sleuth Kit Informer above by taking the starting and ending sectors of the partition, subtracting them, then adding one (9510479 – 7695198 + 1 = 1815282).

Ronald Woelfel raised an interesting question about a missing sector on partitions with an odd number of sectors, which was explained thusly by Brian Carrier of Sleuth Kit fame: ”The reason that you noticing the difference is likely because your linux system has the 2.4 kernel, which has a bug when accessing disk or partition devices. If a partition or disk has an odd number of sectors, the last sector is not read.”

faith:/home/jasonb#  dd if=/nebula/hda_dd.image of=/nebula/test.image
bs=512 skip=7695198 count=1815282
1815282+0 records in
1815282+0 records out

Once dd completes, you can mount the image as you normally would:

faith:/home/jasonb#  mount -o loop -t ext3 /nebula/test.image /mnt
faith:/home/jasonb#  ls /mnt
bin    dev     home    lib opt   sbin  var
boot   etc     import  lost+found  proc  tmp   vmlinuz
cdrom  floppy  initrd  mnt root  usr   vmlinuz.old
faith:/home/jasonb#  umount /mnt

By jasonb