Mounting a restored image

Mount the restored (cloned) working copy and view the contents. Remember, we are assuming this is a DOS formatted disk from a Win 98/95 machine.

mount -t vfat -o ro,noexec /dev/fd0 /mnt/analysis

This will mount your working copy (the new floppy you created from the forensic image) on “/mnt/analysis”. The “–o ro,noexec” specifies the options ro(read-only) andnoexec(prevents the execution of binaries from the mount point) in order to protectthe disk from you, and your system (and mountpoint) from the contents of the disk. There are other useful mount options as well, such asnoatime. See the man page for more details.

Nowcdto the mount point (/mnt/analysis) and browse the contents. Besure to unmount the disk when you finish.

umount /mnt/analysis

Mounting the image using the loopback device

Another way to view the contents of the image without having to restore it to another disk is to mount using the_loop_interface. Basically, this allows you to “mount” a file system within an image file (instead of a disk) to a mount point and browse the contents. Your Linux kernel must have_loop_either compiled as a module or compiled into the kernel for this to work.

We use the same mount command and the same options, but this time we include the option “loop” to indicate that we want to use the_loop_device to mount the file system within the image file, and we specify a disk (partition) image rather than a disk device. Change to the directory where you created the image and type:

mount -t vfat -o ro,noexec,loop image.disk1 /mnt/analysis

Now you can change to_/mnt/analysis_and browse the image as if it were a mounted disk! Use themountcommand by itself todouble check the mounted options. When you are finished browsing, unmount the image file.

umount /mnt/analysis