Mount a .bin file in Linux

Help! I've created a .bin file of a Windows XP system using an X-Late HardCopy device (in image mode). I thought I could simply mount the image in Linux (I'm using Helix 0307) using:

# mount -o loop -t iso9660 image001.bin /media/test

but that doesn't work (mount: wrong fs type, bad option, bad superblock on /dev/loop1, missing codepage or other error).

Any ideas how I can mount a .bin image in Helix so I can investigate it? I can mount it in Autopsy, but I want the OS to see it.

-- rman666

On 2006-11-01 clint@... wrote:
> Help! I've created a .bin file of a Windows XP system using an X-Late
> HardCopy device (in image mode). I thought I could simply mount the
> image in Linux (I'm using Helix 0307) using:
>
> # mount -o loop -t iso9660 image001.bin /media/test
>
> but that doesn't work (mount: wrong fs type, bad option, bad
> superblock on /dev/loop1, missing codepage or other error).

The filesystem is probably NTFS rather than ISO 9660.

# mount -o loop -t ntfs image001.bin /media/test

Also be certain to have the appropriate codepage in your kernel.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

On Wed, 2006-11-01 at 18:10 +0000, clint@... wrote:
> Help! I've created a .bin file of a Windows XP system using an X-Late
> HardCopy device (in image mode). I thought I could simply mount the
> image in Linux (I'm using Helix 0307) using:

First, I'm not at *all* familiar with the device you used or with the
format of a ".bin" file.  I'm assuming it's a normal bit copy ("dd"
style).  If the device puts an proprietary crap in the image, then all
bets are off.  Having said that:

> # mount -o loop -t iso9660 image001.bin /media/test

1) If it's from a Windows XP system, then why is the fstype iso9660?

2) The loop driver is not partition aware.  If this is a whole disk
image, and not a partition image, then the mount command will not
work.  

Run mmls (or sfdisk -l -uS) on the image file to determine the start of
the partition you want to examine.  Pass an offset to loop to that
partition.  Normally, it's 63 sectors (*512 bytes/sector)

mount -t ntfs -o loop,offset=32256 image001.bin /media/test



--
/***************************************
Special Agent Barry J. Grundy
Resident Agent in Charge
NASA Office of Inspector General
Computer Crimes Division
Eastern Region
(301)286-3358 (w)r
(202)246-6497 (c)
**************************************/
! WARNING !  This email including any attachments is intended only for
authorized recipients.  Recipients may only forward this information as
authorized.  This email may contain non-public information that is "Law
Enforcement Sensitive," "Sensitive but Unclassified," or otherwise
subject to the Privacy Act and/or legal and other applicable privileges
that restrict release without appropriate legal authority and clearance.
Accordingly, the use, dissemination, distribution or reproduction of
this information to or by unauthorized or unintended recipients,
including but not limited to non-NASA recipients, may be unlawful.

On Wed, 1 Nov 2006 clint@... wrote:
I am not sure what is the type of the data in the image. If it is an
image of CD, then you can convert .bin+.cue to .iso and mount .iso
(if you do not have .cue you can easily create it).
Search for `bin cue iso' for more information.

If it is an image of a hard drive partition, then the file system is
not iso, so you may try mount to guess it or use some likely types.

If it is an image of whole hard drive, then you may try to mount the
image to a loop device (search for `losetup'), and inspect its
partition table with, say, cfdisk or sfdisk. Once you found offset of
the partition you want, you can put it on loop (-o offset in losetup)
and mount it.

--
Regards,
ASK

Hi

On Helix (tested on 1.8) try to use disktype first.
Like in your case:
# disktype image001.bin

This should give you a detailed report of partitions/filesystem within the
given image, provided it is a dd image.

Further explanations on:
 http://disktype.sourceforge.net/doc/


Oliver


____________
Virus checked by G DATA AntiVirusKit
Version: AVK 17.600 from 03.11.2006
Virus news: www.antiviruslab.com

Quoting clint@...:

If the image made was from a NTFS filesystem, you need to mount it as  
NTFS, not as iso9660. (CD-rom image.)
As this is from a Windows XP, the filesystem is likely NTFS.

Do to forensics, it also might be better to mount it as read-only.


Best regards,

Johan Braeken.

You may need to carve out the partions from the disk image.  See mmls and dd.

You can't mount a .bin image using the ISO9660 filesystem type.  I'm not
familiar with X-Late HardCopy -- can you create an ISO (.iso) image
instead of .bin?

If not, then you could convert the .bin file to an .iso file by using a
program like "bin2iso" or "bchunk".  After conversion, try mounting the
newly created .iso using the same command, except using the right file name:

mount -o loop -t iso9660 image001.iso /media/test

When in doubt, use a search engine!

Regards,
Paul


clint@... wrote:

  What type of 'file' does linux think this image is?

  $ file image001.bin
  *** Something interesting ***

  Also, I'm not very familiar with this X-Late Hardcopy software, but I'm
willing to be that it just dumps the whole disk, mbr, partition table and everything.

  If this is the case, I dont think you can access individual partition on this
drive via the linux loopback device. I've tried to do this using compact flash images before,
but I was never able to get at individual partitions.. What I ended up doing was
running 2 disk images in qemu. One just a big old chunk of Zeros written to a flat
file via dd, and the other the desired disk image. Boot to a linux command prompt
in Qemu.  then you should be able to mount / access the individual partitions contained
in the .bin image. Then you can copy the data off it using DD or good old 'cp -pdrvx'

  As a side note, you might want to make sure your linux kernel supports the windows
partition table layout, and that you have NTFS support built in as well..

-Erik

On 1 Nov 2006 18:10:21 -0000
clint@... wrote:

--

Erik Lat
System Engineer
Lextech Global Services

Alexander Klimov wrote:
>
> I am not sure what is the type of the data in the image. If it is an
> image of CD, then you can convert .bin+.cue to .iso and mount .iso
> (if you do not have .cue you can easily create it).
> Search for `bin cue iso' for more information.

Per,
http://forensics.marshall.edu/MISDE/Pubs-Hard/Hardcopy.pdf

This device creates a .bin file, which is presumably
a binary image and a .hdr file.  At the bottom of page 9,
the document above states:

"To convert the binary (.BIN) file created from image
mode, iti is recommended to use a software  extraction
program such as IsoBuster v.1.9, which will extract
the single .BIN file int a viewable structure."

Given the above, it seems likely that this file is
an ISO file.  It is surprising that a drive
imaging tool would copy the original file hierarchy
into an ISO file, however, the statement above
seems to imply this.

Thus, there is some reason to believe that the
.bin file can be (somehow) mounted as a CD (ISO)
image, as unusual as that might sound.

On Mon, 6 Nov 2006, Clint Laskowski wrote:
> This resulted  in a table of partitions which were correct.
>
> Now, I need to understand how to mount one of those partitions or copy
> it to a mountable partition file.

losetup -o partition-offset loop-device file

where partition-offset is what you get in the start column of sfdisk
multiplied by the unit size (sfdisk prints it out).

--
Regards,
ASK