This situation might not affect everyone, but it struck me today and left me scratching my head. Consider a situation where you need to clone one drive to another with dd or when a hard drive is failing badly and you use dd_rescue to salvage whatever data you can.
Let’s say you cloned data from a drive using something like this:
|
1 |
# dd if=/dev/sda of=/mnt/nfs/backup/harddrive.img |
Once that’s finished, you should end up with your partition table as well as the grub data from the MBR in your image file. If you run file against the image file you made, you should see something like this:
|
1 2 3 4 |
# file harddrive.img harddrive.img: x86 boot sector; GRand Unified Bootloader, stage1 version 0x3, stage2 address 0x2000, stage2 segment 0x200, GRUB version 0.97; partition 1: ID=0x83, active, starthead 1, startsector 63, 33640047 sectors, code offset 0x48 |
What if you want to pull some files from this image without writing it out to another disk? Mounting it like a loop file isn’t going to work:
|
1 2 |
# mount harddrive /mnt/temp mount: you must specify the filesystem type |
The key is to mount the file with an offset specified. In the output from file, there is a particular portion of the output that will help you:
|
1 |
... startsector 63 ... |
This means that the filesystem itself starts on sector 63. You can also view this with fdisk -l:
|
1 2 3 |
# fdisk -l harddrive.img Device Boot Start End Blocks Id System harddrive.img * 63 33640109 16820023+ 83 Linux |
Since we need to scoot 63 sectors ahead, and each sector is 512 bytes long, we need to use an offset of 32,256 bytes. Fire up the mount command and you’ll be on your way:
|
1 2 3 |
# mount -o ro,loop,offset=32256 harddrive.img /mnt/loop # mount | grep harddrive.img /root/harddrive.img on /mnt/loop type ext3 (ro,loop=/dev/loop1,offset=32256) |
If you made this image under duress (due to a failing drive or other emergency), you might have to check and repair the filesystem first. Doing that is easy if you make a loop device:
|
1 2 |
# losetup --offset 32256 /dev/loop2 harddrive.img # fsck /dev/loop2 |
Once that’s complete, you can save some time and mount the loop device directly:
|
1 |
# mount /dev/loop2 /mnt/loop |
This blog has a compact guide to do this using kpart http://xme.im/mounting-partitions-stored-logical-volume-or-disk-image
This just elevated my forensics game :)
I’ve been using egrep to find text in captures, but it doesn’t (and can’t?) return the associated file name within the capture. I’ve mounted flash drive captures where the entire device is one partition, but multiple parts in a dd capture eluded me. Thank you sir!
Thank you for this post. It was quite helpful.
Glad to help! :)
Very useful information. Came in handy. Thanks
This is immensely useful. Thanks.
losetup –show -f -P test.img is the new way to go: http://stackoverflow.com/questions/1419489/loopback-mounting-individual-partitions-from-within-a-file-that-contains-a-parti || http://askubuntu.com/questions/69363/mount-single-partition-from-image-of-entire-disk-device || http://superuser.com/questions/117136/how-can-i-mount-a-partition-from-dd-created-image-of-a-block-device-e-g-hdd-u || http://unix.stackexchange.com/questions/9099/reading-a-filesystem-from-a-whole-disk-image
I cannot find the “startsector” with file command. And fdisk shows 4 partitions, one 80G and another 891G and its only a 8G flash usb memory! The dd_rescue gave me a file about 8G. Now how can I mount and fix this?
To be sure that dealing with 512-byte sectors, use
fdisk -b512 -linstead of simplefdisk -lI have been having trouble with a severely damaged 1TB drive. After running ddrescue for a week, the drive still has 25MB corrupt. I would like to mount the image (since I don’t have another drive large enough to write it) but following your instructions I get:
file recovery.img > data
fdisk -l recovery.img >
Disk ~/recovery.img: 1000.2 GB, 1000204885504 bytes
255 heads, 63 sectors/track, 121601 cylinders, total 1953525167 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Disk ~/recovery.img doesn’t contain a valid partition table
Does anyone have another way to get the start sector in order to mount it as a loop? I obviously need to repair the partition table but testdisk can’t see the image without mounting it anyway.
Thanks for the asisstance.
thanks a lot :) it gave me the possibility to mount a dd image of a sd card with several partitions ;)
recent versions of losetup have a parameter -P which automatically create a loop device with all partitions. so for the example in the article you could do:
# losetup -P /dev/loop2 harddrive.img
and then you could access the first partition on /dev/loop2p1, the second on /dev/loop2p2 and so on.
Thanks so much, this offset thing wasn’t working despite verifying that it was the same blocksize and everything
weird. had the same problem (gspilz)
I wrote disk image with on-fly arcivation.
dd if=/dev/sdXY | bzip2 -9 > img-file.bz2. Is there way to mount it without unpacking?I just wanted to say thanks for this write up. I used ddrescue (in reverse mode) to recover a 2TB drive that had failed. I was able to fdisk, fsck and mount the filesystem on the disk image that I was able to recover (about 99.5% of it). Getting access to the filesystems was the last step I needed and found your guide here.
There’s a couple of experimental fuse plugins on github for mounting partitions.
I’ve put one how here which will also mention the alternatives in the readme…
https://github.com/joeyhub/fuse-ptfs
Sorry for the self promotion :).
Thank u Sir. But i have some trouble.. no error on all steps but, the folder /mnt/
loop is empty… How should i do?
hi there, when mouse-over on code snippets the first line of code gets covered by the code container itself
cheers
Appreciate your detailed explanation.
But I went to kpartx method first, and I must admit it’s much easier to apply.
Besides iosetup command does not seem to work the same as yours under debian wheezy on armel device. Thats is a bit strange for me.
This just elevated my forensics game :)
I’ve been using egrep to find text in captures, but it doesn’t (and can’t?) return the associated file name within the capture. I’ve mounted flash drive captures where the entire device is one partition, but multiple parts in a dd capture eluded me. Thank you sir!
(Previously posted as a reply to someone’s comment. Apologies.)
Thanks for your explanation!
I have only one problem. If I try to mount a “not cleanly unmounted partition” it fails.
If I mount it with “noload” it works – but how can I repair such a partition? (FS is ext4)
# losetup -P /dev/loop3 backup_20170324.img
# ls -la /dev/loop3*
brw-rw—- 1 root disk 7, 3 Mär 24 12:40 /dev/loop3
brw-rw—- 1 root disk 259, 0 Mär 24 12:40 /dev/loop3p1
brw-rw—- 1 root disk 259, 1 Mär 24 12:40 /dev/loop3p2
#fsck /dev/loop3p2
fsck from util-linux 2.27.1
e2fsck 1.42.13 (17-May-2015)
fsck.ext4: Operation not permitted beim Versuch, /dev/loop3p2 zu öffnen
Sie benötigen r/w- oder root-Rechte für das Dateisystem.
But I am root!
I have a 1 TB disk, which is formatted with ext4, while installing Mapr, its giving error as it needs RAW non formatted Raw disk.
I have used following command on that disk
dd if=/dev/zero of=/dev/sdy bs=1M
will this command make it a raw disk, and how much time it generally takes for 1 TB of disk.
Thanks so much for the information. I was able to use it to mount a Windows 10 drive that I imaged when my motherboard died. You saved me a lot of time and effort.
Outstanding!
This guide helped me to extract /lib/arm-linux-gnueabihf/util-2.19.so from http://download.osmc.tv/installers/diskimages/OSMC_TGT_rbp1_20170615.img.gz. This file was essential for my raspberrypi mediasystem OSMC, and I want to thank you for writing this up. Great stuff!
best wishes,
Hans Ekbrand
Hi,
How to mount *.img file as a loop device, let’s say loop3 but permanently so after
every reboot loop3 is visible (eg, in File manager) and I don’t need to mount it manually every time computer starts?
My file is placed on a sda4 partition which is a different partition to where I installed debian9 (/).
This single file is 63 GBs large.
Please help.
regards,