This is me, Wu!
» e-shell.org
In this page
Rate this page!
Search inside the wiki!
  Home >> hacks >> Mounting dd dumped images as usual filesystems

Mounting dd dumped images as usual filesystems

dd is a nice tool avaliable on most modern Unix systems that let us to perform byte-to-byte copies of, for example, partitions of our systems. Some people use this tool to make backups, some other will use it when doing some forensic analisys (it is perfect to copy the partitions of a compromised system without altering the files, modificacion and access dates, etc inside it) and so on.

One feature of the Linux kernel I used to use is the ability to mount an image created with dd, using the loopback device. This way, we can mount the raw dd image without having to create a partition and using dd to restore it. Let's see it with an example.

In my example I will use a dump created by dd of a 1Gb partition of a linux box. The partition has an ext2 filesystem inside it.

Linux

I will use a vanilla 2.6.10 kernel from kernel.org running on a `Slackware Linux`_ box.

wu@nutshell:~$ uname -ap
Linux nutshell 2.6.10 #3 Sat Feb 19 17:29:47 CET 2005 i686 unknown unknown GNU/Linux
wu@nutshell:~$

In order to use the loopback device, we need a kernel with loopback support enabled, take a look inside Device Drivers -> Block devices -> Loopback device support to check if your kernel has support. There is another interesting option right here, Cryptoloop Support, but this is a story for another hack, not this one...

Once we have a kernel with the necessary support enabled, mounting the dd image is quite easy:

wu@nutshell:~$ sudo mount /usr/home/wu/retov2/analisis/hda1.dd /usr/home/wu/retov2/mnt -o ro,loop
wu@nutshell:~$ mount
/dev/hda5 on / type xfs (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
/dev/hda6 on /tmp type xfs (rw)
/dev/hda7 on /var type xfs (rw)
/dev/hda8 on /usr type xfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/sda1 on /usr/home/wu/retov2/analisis type xfs (rw,noexec,nosuid,nodev,user=wu)
/usr/home/wu/retov2/analisis/hda1.dd on /usr/home/wu/retov2/mnt type ext2 (ro,loop=/dev/loop0)
wu@nutshell:~$ ls -l /usr/home/wu/retov2/mnt
total 164
drwxr-xr-x   2 root root  4096 2005-01-20 16:58 bin/
drwxr-xr-x   3 root root  4096 2005-01-20 16:54 boot/
drwxr-xr-x  18 root root 86016 2005-01-29 22:16 dev/
drwxr-xr-x  39 root root  4096 2005-01-29 22:25 etc/
drwxr-xr-x   2 root root  4096 2005-01-20 16:50 home/
drwxr-xr-x   2 root root  4096 2001-06-21 20:32 initrd/
drwxr-xr-x   7 root root  4096 2005-01-29 22:21 lib/
drwx------   2 root root 16384 2005-01-20 16:50 lost+found/
drwxr-xr-x   2 root root  4096 2002-04-02 18:22 misc/
drwxr-xr-x   4 root root  4096 2005-01-20 23:07 mnt/
drwxr-xr-x   2 root root  4096 1999-08-23 18:03 opt/
drwxr-xr-x   2 root root  4096 2005-01-20 16:50 proc/
drwxr-x---   3 root root  4096 2005-01-29 22:22 root/
drwxr-xr-x   2 root root  4096 2005-01-29 22:22 sbin/
drwxrwxrwt   5 root root  4096 2005-01-31 20:31 tmp/
drwxr-xr-x   2 root root  4096 2005-01-20 16:50 usr/
drwxr-xr-x   2 root root  4096 2005-01-20 16:50 var/

As you can see, the only strange thing we have to do is use the -o loop option with the mount command. Perhaps you have noticed that I have used the ro option too, the reason is that this image, as you would have guessed, is an image of a compromised linux server I'm playing with (forensics could be so funny...), so the image must be mounted read-only.

We can use umount as with any other filesystem to umount the dd image when we are finished with it:

wu@nutshell:~$ sudo umount /usr/home/wu/retov2/mnt
wu@nutshell:~$

Ok, this is useful but, what about doing the same on BSD systems? It is some way different, in both OpenBSD and FreeBSD we can not use the loop device as in linux (sorry, I do not have a NetBSD box to check it ;( ). Let's see it with the same example.

OpenBSD

In OpenBSD we can use vnconfig to associate the image with a device we can use as a normal partition from a phisical disk, then we can mount the device as always, using mount. I will repeat the previous example in a OpenBSD 3.6 box:

$ uname -ap
OpenBSD nacht.e-shell.org 3.6 GENERIC#0 i386 Intel(R) Pentium(R) 4 CPU 1.70GHz ("GenuineIntel" 686-class)
$ sudo vnconfig svnd0 hda1.dd
$ sudo mount -t ext2fs -r /dev/svnd0c /mnt
$ mount
/dev/wd0a on / type ffs (local)
/dev/wd0d on /tmp type ffs (local, nodev, nosuid)
/dev/wd0f on /usr type ffs (local, nodev)
/dev/wd0e on /var type ffs (local, nodev, nosuid)
/dev/svnd0c on /mnt type ext2fs (local, read-only)
$ ls -l /mnt/
total 328
drwxr-xr-x   2 root  wheel   4096 Jan 20 16:58 bin
drwxr-xr-x   3 root  wheel   4096 Jan 20 16:54 boot
drwxr-xr-x  18 root  wheel  86016 Jan 29 22:16 dev
drwxr-xr-x  39 root  wheel   4096 Jan 29 22:25 etc
drwxr-xr-x   2 root  wheel   4096 Jan 20 16:50 home
drwxr-xr-x   2 root  wheel   4096 Jun 21  2001 initrd
drwxr-xr-x   7 root  wheel   4096 Jan 29 22:21 lib
drwx------   2 root  wheel  16384 Jan 20 16:50 lost+found
drwxr-xr-x   2 root  wheel   4096 Apr  2  2002 misc
drwxr-xr-x   4 root  wheel   4096 Jan 20 23:07 mnt
drwxr-xr-x   2 root  wheel   4096 Aug 23  1999 opt
drwxr-xr-x   2 root  wheel   4096 Jan 20 16:50 proc
drwxr-x---   3 root  wheel   4096 Jan 29 22:22 root
drwxr-xr-x   2 root  wheel   4096 Jan 29 22:22 sbin
drwxrwxrwt   5 root  wheel   4096 Jan 31 20:31 tmp
drwxr-xr-x   2 root  wheel   4096 Jan 20 16:50 usr
drwxr-xr-x   2 root  wheel   4096 Jan 20 16:50 var
$

Note that we do not use any device name with vnconfig, we use svnd0, which stands for the first vnd (Vnode Disk Driver) device. This device provide us with a disk-file interface for a file. Another interesting use for vnd devices is using files as swap devices, for example when you run out of swap space and you do not have free space either on your disks to create physical swap partitions. There are indeed two different vnd devices, vnd and svnd. The first one bypasses the buffer cache and thus is suitable for swap on files, but not usable in our case, with virtual disks, while the second one, so called safe vnd, uses a buffer cache, maintaining cache-coherency after the device is closed.

Take care that in order to use vnconfig and the svnd device, we need to have support in the kernel for it, the GENERIC kernel has support for at least four virtual disks:

pseudo-device  vnd  4    # vnode disk driver

When we are finished working with the image, we can umount it and and de-configure the virtual disk:

$ sudo umount /mnt
$ sudo vnconfig -u svnd0
$

FreeBSD

In this case it depends on the FreeBSD? version you are using. 4.x users will use vnconfig almost the same way as in OpenBSD. FreeBSD? 5.x users will use the new mdconfig, a cleaner replacement for vnconfig. I will cover the 5.x branch, as I do not have any 4.x here to play with. Let's see the same example, but in a FreeBSD? 5.3-STABLE box:

[Silence] /analisis/retov2# uname -ap
FreeBSD Silence.codigo23.net 5.3-STABLE FreeBSD 5.3-STABLE #1: Mon Dec 13 17:30:21 CET 2004
wu@Silence.codigo23.net:/usr/obj/usr/src/sys/SILENCE  i386 i386

mdconfig is, in fact, a powerful tool that let us play with more virtual disks than vnconfig, through the md device. This device support four kinds of memory backed virtual disks, malloc, preload, vnode and swap. The one we need here is vnode, which let us create a virtual disk from a file (in this case our dd dumped image). swap uses swap space to allocate space for our virtual disk and malloc could be used to create virtual disks on RAM memory.

The preload option is used to manage virtual disks loaded at boot time through loader, this is useful when we are using systems that bootup directly from an external media, like CD, DVD, etc (FreeSBIE? as an example).

So, let's see how to create a device we can play with later, using mdconfig:

[Silence] /analisis/retov2# mdconfig -a -t vnode -f hda1.dd -u 0
[Silence] /analisis/retov2# mdconfig -l
md0
[Silence] /analisis/retov2# mdconfig -l -u md0
md0     vnode   1020096 KBytes
[Silence] /analisis/retov2# kldload ext2fs
[Silence] /analisis/retov2# mount -r -t ext2fs /dev/md0 /mnt/hd
[Silence] /analisis/retov2# mount
/dev/ad0s1a on / (ufs, local)
devfs on /dev (devfs, local)
/dev/ad0s2d on /analisis (ufs, local, soft-updates)
/dev/ad0s2e on /data (ufs, local, soft-updates)
/dev/ad0s1g on /home (ufs, local, soft-updates)
/dev/ad0s1f on /tmp (ufs, local, soft-updates)
/dev/ad0s1d on /usr (ufs, local, soft-updates)
/dev/ad0s1e on /var (ufs, local, soft-updates)
devfs on /var/named/dev (devfs, local)
192.168.23.1:/data on /codigo23/data (nfs)
192.168.23.1:/mp3 on /codigo23/mp3 (nfs)
/dev/md0 on /mnt/hd (ext2fs, local, read-only)
[Silence] /analisis/retov2# ls -l /mnt/hd/
total 168
-rw-r--r--   1 root  wheel      0 Jan 20 23:43 .autofsck
-rw-------   1 root  wheel    665 Jan 29 22:27 .bash_history
drwxr-xr-x   2 root  wheel   4096 Jan 20 16:58 bin
drwxr-xr-x   3 root  wheel   4096 Jan 20 16:54 boot
drwxr-xr-x  18 root  wheel  86016 Jan 29 22:16 dev
drwxr-xr-x  39 root  wheel   4096 Jan 29 22:25 etc
drwxr-xr-x   2 root  wheel   4096 Jan 20 16:50 home
drwxr-xr-x   2 root  wheel   4096 Jun 21  2001 initrd
drwxr-xr-x   7 root  wheel   4096 Jan 29 22:21 lib
drwx------   2 root  wheel  16384 Jan 20 16:50 lost+found
drwxr-xr-x   2 root  wheel   4096 Apr  2  2002 misc
drwxr-xr-x   4 root  wheel   4096 Jan 20 23:07 mnt
drwxr-xr-x   2 root  wheel   4096 Aug 23  1999 opt
drwxr-xr-x   2 root  wheel   4096 Jan 20 16:50 proc
drwxr-x---   3 root  wheel   4096 Jan 29 22:22 root
drwxr-xr-x   2 root  wheel   4096 Jan 29 22:22 sbin
drwxrwxrwt   5 root  wheel   4096 Jan 31 20:31 tmp
drwxr-xr-x   2 root  wheel   4096 Jan 20 16:50 usr
drwxr-xr-x   2 root  wheel   4096 Jan 20 16:50 var
[Silence] /analisis/retov2#

First, we use mdconfig to create a md device pointing to our dd dumped image. The -a flag tells mdconfig that we want to attach a virtual disk to the system. With -t vnode we are setting the kind of md device we are creating, remember, vnode is a virtual disk associated with a file.

The flag -f hda1.dd is obviuos and the last one, -u 0 sets which device we will use, in this case /dev/md0.

At this point we have a configured md device pointing to the file called hda1.dd, and we can use mdconfig both to list all avaliable md devices (mdconfig -l) or to get some info from one of them (mdconfig -l -u device).

As in Linux and OpenBSD, we can mount the md0 device as a normal disk, and play with it. Take care that in order to mount ext2 filesystems, in FreeBSD? 5.x, you need to load the ext2fs kernel module!. When we are finished, we can umount the device and detach the virtual disk from the system:

[Silence] /analisis/retov2# umount /mnt/hd/
[Silence] /analisis/retov2# mdconfig -d -u md0
[Silence] /analisis/retov2# mdconfig -l

[Silence] /analisis/retov2#

And that is all, that is all, that that that is all folks!