Sunday, November 1, 2015

FireFox 41.0.1 Browsing session analysis - Mounting a dc3dd image


In the previous post we created a forensic copy of a disk using dc3dd, let's now mount that image.

Before mounting the image, let see what we can learn about the image from "fdisk -l"


sansforensics@securitynik:~/firefox-analysis$ fdisk -l securitynik-firefox.dc3dd

from the above we see a FAT 16 partition start at 32 and ends at 3915575. To get the actual starting point of the sector multiply the starting point of 32 by 512 which is a sector size.
if we multiply 32 x 512 we get 16,384.

Now that we have the actual offset of 16,384 l
et mount the partition.
sansforensics@securitynik:~/firefox-analysis$ sudo mount --read-only --options=loop,offset=16384 securitynik-firefox.dc3dd tmp/


Now we have executed the mount command, let's verify that the image has been mounted successfully
sansforensics@securitynik:~/firefox-analysis$ df -kh


So far so good. Now that we have the mounted drive, let's look at analyzing the various sql databases in the next file.


Other posts in this series:




Reference:
http://linux.die.net/man/8/mount
http://madduck.net/blog/2006.10.20:loop-mounting-partitions-from-a-disk-image/

No comments:

Post a Comment