I remember creating one or two challenges for local forensic competition in my community. Ideally the image should be created from live hard drive or SD card. However, I’m not in condition to do that. The constraint I have is to create image as small as possible so we can distribute it across any media. Therefore I create a “disk image” by myself.
In this article we will use:
- Slackware64 14.1
We will create a small disk image, 50MB in size. It can be an image of a single partition, or even we can make it as if it was an image of a disk. Let’s say we will create “partition.img” and “disk.img”
Creating a Blank Image
The disk image is exactly a single file. It is a storage containing the complete contents and structure representing a data storage or device, such as hard drive, tape drive, optical disc, or USB flash drive. Creating a disk image is usually done by creating complete sector-by-sector copy of the source medium. Thereby perfect replicating the structure and contents of a storage device.
In our case, however, we are not copying real disk. We create it, literally. What we will do is creating an empty file with sufficient size before we do something to it.
If you have experience with Virtual Machine and ever creating disk image for particular VM (for example, VirtualBox VDI), you should know that it is slightly different thing. Yes, it is still a disk image, but we have extra metadata and various thing over it.
Now, to create our blank disk image of size 50MB, we invoke following command:
dd if=/dev/zero of=disk.img bs=512 count=97656
The dd utility is used with following argument:
- if=/dev/zero, we specify the input is /dev/zero. This is a special node in Linux which generate a zero every time it is read.
- of=disk.img, we specify the output will be a file named disk.img.
- bs=512, we set the block size to 512 byte. Actually you can set the zie to any convenient number. Anything will do but I choose this number.
- count=97656, we specify how many block we will write. So, in our case, we will have 97656 blocks or 97656 x512 byte = 49999872 bytes or around 50MB. I got the number by calculating 50*1000*1000/512.
Creating the partition.img is in similar manner.
Single Partitioned Disk Image
Having partition.img, we are ready to format the image into certain partition. I want an EXT4 format, so i use following command:
The command will take partition.img and format the partition with to EXT4 file system.
In general, we are attempting to imitate a partition. Later we can mount the partition by:
mount -o loop partition.img /mnt/partition
Now you can mount the partition and copy files tot he /mnt/partition and they will be written to our image file.
Multiple Partitioned Disk Image
In this section we will create a disk image with multiple partitions. In other words, we are trying to imitate the real disk.
The procedure is basically similar, but the image file must first be partitioned. So, more work involved here.
As in our case, we will create two partitions. First partition will occupy 10MB. The rest will be allocated to second partition.
The fdisk utility is interactive program and quite clear. You just need to choose right option and enter right number for start and end of partition. Before you proceed, make sure you print current condition (using option p). Fdisk will display how many heads, sectors, and cylinders it recognized. It also print out the size of sector.
Here is what specification we need:
Partition 1: primary partition First sector = 2048 Last sector = 22527 Partition 2: primary partition First sector = 22528 Last sector = 97655
If you see the number 97655 and wonder it might have something to do with the count=97656 argument to dd, you are sharp! It is truly last sector of our disk image.
Now the formatting would be bit complicated. In short, we have to make a loop back device to point a partition inside our disk image and then do formatting.
losetup /dev/loop0 disk.img -o 2048 losetup /dev/loop1 disk.img -o 22528 mkfs.ext4 /dev/loop0 mkfs.ext4 /dev/loop1
To mount our disk image, you can follow this article: Mounting Partition from Raw Disk Image on Linux
For you who are not patient enough, here’s how we mont both partitions:
mount -o loop,offset=1048576 disk.img /mnt/disk1 mount -o loop,offset=11534336 disk.img /mnt/disk2disk, filesystem, forensic, linux