Tag Archive : disk

/ disk

Creating Disk Image

December 11, 2015 | Article | No Comments

I remember creating one or two challenges for local forensic competition in my community. Ideally the image should be created from live hard drive or SD card. However, I’m not in condition to do that. The constraint I have is to create image as small as possible so we can distribute it across any media. Therefore I create a “disk image” by myself.

In this article we will use:

  1. Slackware64 14.1
  2. dd
  3. fdisk

We will create a small disk image, 50MB in size. It can be an image of a single partition, or even we can make it as if it was an image of a disk. Let’s say we will create “partition.img” and “disk.img”

Creating a Blank Image

The disk image is exactly a single file. It is a storage containing the complete contents and structure representing a data storage or device, such as hard drive, tape drive, optical disc, or USB flash drive. Creating a disk image is usually done by creating complete sector-by-sector copy of the source medium. Thereby perfect replicating the structure and contents of a storage device.

In our case, however, we are not copying real disk. We create it, literally. What we will do is creating an empty file with sufficient size before we do something to it.

If you have experience with Virtual Machine and ever creating disk image for particular VM (for example, VirtualBox VDI), you should know that it is slightly different thing. Yes, it is still a disk image, but we have extra metadata and various thing over it.

Now, to create our blank disk image of size 50MB, we invoke following command:

dd if=/dev/zero of=disk.img bs=512 count=97656

The dd utility is used with following argument:

  • if=/dev/zero, we specify the input is /dev/zero. This is a special node in Linux which generate a zero every time it is read.
  • of=disk.img, we specify the output will be a file named disk.img.
  • bs=512, we set the block size to 512 byte. Actually you can set the zie to any convenient number. Anything will do but I choose this number.
  • count=97656, we specify how many block we will write. So, in our case, we will have 97656 blocks or 97656 x512 byte = 49999872 bytes or around 50MB. I got the number by calculating 50*1000*1000/512.

Creating the partition.img is in similar manner.

Single Partitioned Disk Image

Having partition.img, we are ready to format the image into certain partition. I want an EXT4 format, so i use following command:

mkfs.ext4 partition.img

The command will take partition.img and format the partition with to EXT4 file system.

In general, we are attempting to imitate a partition. Later we can mount the partition by:

mount -o loop partition.img /mnt/partition

Now you can mount the partition and copy files tot he /mnt/partition and they will be written to our image file.

Multiple Partitioned Disk Image

In this section we will create a disk image with multiple partitions. In other words, we are trying to imitate the real disk.

The procedure is basically similar, but the image file must first be partitioned. So, more work involved here.

As in our case, we will create two partitions. First partition will occupy 10MB. The rest will be allocated to second partition.

fdisk disk.img

The fdisk utility is interactive program and quite clear. You just need to choose right option and enter right number for start and end of partition. Before you proceed, make sure you print current condition (using option p). Fdisk will display how many heads, sectors, and cylinders it recognized. It also print out the size of sector.

Here is what specification we need:

Partition 1:
primary partition
First sector = 2048
Last sector = 22527

Partition 2:
primary partition
First sector = 22528
Last sector = 97655

If you see the number 97655 and wonder it might have something to do with the count=97656 argument to dd, you are sharp! It is truly last sector of our disk image.

Now the formatting would be bit complicated. In short, we have to make a loop back device to point a partition inside our disk image and then do formatting.

losetup /dev/loop0 disk.img -o 2048
losetup /dev/loop1 disk.img -o 22528

mkfs.ext4 /dev/loop0
mkfs.ext4 /dev/loop1

To mount our disk image, you can follow this article: Mounting Partition from Raw Disk Image on Linux

For you who are not patient enough, here’s how we mont both partitions:

mount -o loop,offset=1048576 disk.img /mnt/disk1

mount -o loop,offset=11534336 disk.img /mnt/disk2

Mounting Partition from Raw Disk Image on Linux

December 11, 2015 | Article | No Comments

In Linux/Unix or perhaps in every computer system, a term mounting is defined as attaching additional filesystem to the currently accessible filesystem of a computer. As we know, a filesystem is hierarchy of directories (also referred to as a directory tree) that is used to organize files on a computer or storage media.

We might familiar or maybe remember how to mount a partition well. But that’s when the partition is inside a storage media or physical medium. What if the partition we want to access is in form of disk image? Here, we will discuss it.

In this article I use:

  1. Slackware64 14.0
  2. dumped image from 4GB SD-card, using dd

The Theory

Disk Image

A disk image is a single file or storage device containing the complete contents and structure representing a data storage medium or device, such as hard drive, tape drive, floppy disk, optical disc, or USB flash drive. A disk image is usually created by creating a complete sector-by-sector copy of the source medium and thereby perfect replicating the structure and contents of a storage device.

In Linux, we can create disk image using dd utility. Assuming we want to create disk image of a SD-card which is recognized as /dev/sdb as MyDiskImage.img:

dd if=/dev/sdb of=MyDiskImage.img

Partition and Partition Table

As said, disk image is perfect copy of a storage media. Therefore we got very same bit of partition and partition table. Nothing is modified, unless you alter it. Therefore, we can still read the partition table like what we do on physical storage medium.

We can use fdisk to see the partition table of a disk image:

fdisk MyDiskImage.img

Loopback Device

We know that Linux and Unix list all recognized device as device nodes. They are treated like ordinary file and stored on /dev, like /dev/sda for first SCSI storage device we have. However, not many of us know some pseudo-devices on this directory. One of them is loop device /dev/loop*.

This is special node that we will use for mounting an image.

How to Mount

There are some steps we have to do so we can mount a partition inside of disk image.

Know the Offset

We have to know where is the offset of partition. Clearly we need to know where the partition start and where the partition end. Although, we only need the offset of beginning of the partition. To do that, we can use fdisk to peek on partition table. For example:

fdisk MyDiskImage.img

Here’s how my partition looks like.

Disk MyDiskImage.img: 691 MB, 691798016 bytes
255 heads, 63 sectors/track, 84 cylinders, total 1351168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0002c262

                         Device Boot      Start         End      Blocks   Id  System
2013-09-25-wheezy-raspbian.img1            8192      122879       57344    c  W95 FAT32 (LBA)
2013-09-25-wheezy-raspbian.img2          122880     5785599     2831360   83  Linux

What we want to know is the offset, which is in byte-level. However fdisk tell us about sectors. Fortunately we can convert the offset in sector to bytes by multiplying it with the size of sector. In our case, one sector is 512 bytes.

Let say we want to mount partition 2, which is ext4. We calculate the offset for this partition.

122880 * 512 = 62914560

Save this value.

Mount It!

The actual mounting. Mounting process is similar when we mount normal partition. However, this time we use loopback device and use one argument we never use before, “offset”. Basically, offset tell mount utility to skip the data on particular to offset.

Here how we do:

mount -o loop,offset=62914560 MyDiskImage.img /mnt/mount_point

Here we mount partition 2, which is located on 62914560 bytes after the beginning of the file. The partition should be mounted to our mount point (/mnt/mount_point). Unless you have an unknown filesystem, this command shouldn’t be fail.

Basic Storage and Dynamic Storage in Windows

December 11, 2015 | Article | No Comments

From Windows 2000 onwards, Microsoft started introduce the concept of dynamic disks. The counterpart, basic disk, is used from the era of DOS onward. Both have their advantages and disadvantages.

In this article we will discuss about both disks concept. Our explanation would be as general as possible, in fact there is no instruction on specific platform.

Overview

Basic Disk

Basic Disk uses a partition table to manage all partitions on the disk on first sector of disk. It is supported by DOS and all Windows versions. A disk with installed OS would be default initialized to a basic one. A basic disk contains basic volumes, such as primary partitions, extended partition, and all logical partitions are contained in extended partition.

Basic Disks provide a simple storage solution that can accommodate a useful array of changing storage requirement scenarios. Basic Disks also support clustered disks, IEEE 1394 disks, and USB removable drives.

Basic Disks also use the same Master Boot Record (MBR) partition style as the disks used by Microsoft MS-DOS operating system. It can also support GUID Partition Table (GPT) partitions on systems that support it.

The following operations can be performed only on Basic Disk:

  • Create and delete primary and extended partitions.
  • Create and delete logical drives within an extended partition.
  • Format a partition and mark it as active.

Dynamic Disk

Dynamic Disk is supported in Windows 2000 and later operating system. Dynamic disks do not use a partition table to track all partitions, but use a hidden database (LDM) to track information about dynamic volumes or dynamic partitions on the disk. With dynamic disks we can create volumes that span multiple disks such as spanned and striped volumes, and can also create fault-tolerant volumes such as mirrored volumes and RAID 5 volumes. Compared to a Basic Disk, Dynamic Disk offers greater flexibility.

What is LDM database? LDM or Logical Disk Manager, is a hidden database which size is 1 MB at the end of Dynamic Disk. This space records all the information of the volumes on a single disk, and also holds some related information on each dynamic disk. The information including Drive Letter, Volume Label, the begin sector of Volume, Volume size, the file system of volume.

All disks are interrelated and will hold information mentioned above if there are several dynamic disk on computer. The relevance of each dynamic disk let we will see a “Missing” disk which is shown in Windows Disk Management if we remove a dynamic disk from your system. All this is saved in LDM database, so LDM database is vary important the same as Partition Table of Basic Disk.

Clearly, we can illustrate the Dynamic disk as following:

dynamic-disk

The blue area at the beginning of Dynamic Disk is the MBR which sabes the information of the Partition Table on the disk. However, this partition table is not the same as one of Basic Disk. Its main function is to make Windows and Other Disk Manager can know the disk is a dynamic disk instead of empty disk. The red one at the end of disk is the LDM database.

If you are familiar with Linux, Dynamic Disks system is similar to Logical Volume Manager (LVM).

The following operations can be performed only on dynamic disks:

  • Create and delete simple, spanned, striped, mirrored, and RAID-5 volumes.
  • Extend a simple or spanned volume.
  • Remove a mirror from a mirrored volume or break the mirrored volume into two volumes.
  • Repair mirrored or RAID-5 volumes.
  • Reactivate a missing or offline disk.

Differences

  1. Capacity – Once Basic Disk create a partition, its capacity cannot be change unless we modify the partition table (using gpart, fdisk, or similar software). Dynamic Disk however can expand the capacity of volumes without data loss.
  2. Disk space limitation – On Basic Disk, the maximum capacity of a partition (volume) can be limited to 2 TB. Dynamic Disks can well handle the large partition of more than 2 TB.
  3. Number of partitions – Basic Disk is using primitive MBR disk layout, so it support only 4 primary partition. At best, it use 3 primary partition and use the last primary partition as extended partition. In Dynamic disks, unlimited number of partition can be created.
  4. Volumes type – Basic Disks only can create any primary or logical partition. Dynamic disks can create simple volume, spanned volume, stripped volume, mirrored volume, and RAID-5 volume (software-based RAID).

Similarity

  1. Supported file systems – Basic Disks and Dynamic Disks support FAT, FAT32, and NTFS file systems.
  2. Have a partition table – Dynamic Disks have a partition table too, however this partition table is different from Basic Disks Its main function is to let Windows and other partition manager know the disk is a dynamic disk instead of an empty disk.
  3. Label and Drive Letter – On both Basic Disks and Dynamic Disks, every partition (volume) can be assigned to a unique drive letter (in operating system perspective). such as “System C:”
  4. Disk Layout Supported – Both Basic Disks and Dynamic Disks support MBR and GPT partition styles.

Volume on Dynamic Disk

On Dynamic Disk, the volumes are divided into several categories: Simple Volume, Spanned Volume, Mirrored Volume, and RAID 5 Volume. They have drive letter and volume label to differentiate.

Simple Volume

Simple volume only can be created on the single disk. This volume is similar as partition of Basic Disk, but its space can be inconsecutive.

Spanned Volume

It is created from free space that is linked together from multiple disks (up to 32 disks). The sequence of writing data for Spanned Volume is that the volume on the first disk is filled full and then turn to fill the next dynamic disk. Spanned Volume can allow the fragmentary free space of multiple disks is recomposed as one volume, so it can fully utilize the resources of multi-disk. However, it can not be fault-tolerant volume and can not improve performance of the disk.

Stripped Volume

It’s similar with Spanned Volume, and consists of two and more disks. However, the difference is that it can improve the efficiency and performance of disk, because when operating system writes data to Striped Volume, this data will be separated into many pieces of 64KB, and then concurrent writes a different data block to each disk. A striped volume cannot be mirrored or extended and is not fault-tolerant. The screenshot is below:

Mirrored Volume

We can simply understand that Mirrored Volume is a duplicate of Simple Volume. It needs two disks; one stores the data which is being used, and another keep a copy of previous one. When a disk fails, the other one can be used immediately.

RAID-5 Volume

A RAID-5 requires three disks at least; it not only can enhance the efficiency of the disk but also provide the best fault-tolerant. You could simply consider RAID-5 is a combination of Striped and Mirrored Volume. A RAID-5 volume is a fault-tolerant volume whose data is striped across an array of three or more disks. Parity (a calculated value that can be used to reconstruct data after a failure) is also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on that failed disk can be recreated from the remaining data and the parity.

Social media & sharing icons powered by UltimatelySocial