04 September 2019

Mengenali disk image via mmls fsstat fls losetup

image: disk1.dd


1- mmls utk listkan partition dlm disk
2- dapatkan offset partition yg berkenaan
3- fsstat -o xxx akan listkan maklumat file system pada offset xxx
4- fls perlu guna -o xxx utk create body file partition tersebut.

5- loosetup boleh create /dev/loopX utk mudahkan akses partition tersebut. Namun perlukan maklumat offset dalam unit byte. (mmls papar maklumat berdasarkan sektor)
 Maka :  xxx * 512(byte persektor) utk dptkan offset.



1-
# mmls -t dos disk1.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

 Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000002047   0000002048   Unallocated
02:  00:00   0000002048   0000499711   0000497664   Linux (0x83)
03:  00:01   0000499712   0041940991   0041441280   Linux (0x83)
04:  -----   0041940992   0041943039   0000002048   Unallocated

3-
# fsstat -o 2048 disk1.dd
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext3
Volume Name:
Volume ID: 2c71dce497ca7d83694ea172de905590

Last Written at: Tue Oct  5 11:06:10 2010
Last Checked at: Tue Oct  5 10:04:19 2010

Last Mounted at: Tue Oct  5 11:05:31 2010
Unmounted properly
Last mounted on: /boot
[...]

4-  fls -o 2048 -r -m C: disk1.dd > fls-bodyfile.txt

      Then you can create timeline:
      mactime -z UTC -y -d -b fls-bodyfile.txt 1500-01-01..2020-01-01 > mactimeline.csv


5- 
# expr 499712 \* 512
255852544
# losetup -f
/dev/loop0
# losetup -r -o 255852544 /dev/loop0 disk1.dd




Posted by at
Labels:

No comments:

Post a Comment

Terima kasih

Subscribe to: Post Comments (Atom)