I’d like to spin a little further on the SANS forensics blog on carving partition images. In other words: I want to do it too, hopefully complementing their post. I’ve also combined it with some useful lectures at my master’s track.

So you get a disk-image. There’s one raw-image of a hard drive aquired in a forensics investigation, so what do you do? You might attempt to mount it, but that may be a problem since it contains a lot of other partitions as well (that won’t work in other words).

The answer is carving the interesting partitions from the image.

For this you’ll need:

  • Sleuthkit (mmls, fls)
  • dcfldd (or dd if you like to do it yourself)

Let’s start by getting the disk layout, using the Sleuthkit media management list tool.

$ mmls image.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000000062 0000000063 Unallocated
02: 00:00 0000000063 0000690794 0000690732 Linux (0x83)
03: Meta 0000690795 0016771859 0016081065 DOS Extended (0x05)
04: Meta 0000690795 0000690795 0000000001 Extended Table (#1)
05: ----- 0000690795 0000690857 0000000063 Unallocated
06: 01:00 0000690858 0006602714 0005911857 Linux (0x83)
07: Meta 0006602715 0009446219 0002843505 DOS Extended (0x05)
08: Meta 0006602715 0006602715 0000000001 Extended Table (#2)
09: ----- 0006602715 0006602777 0000000063 Unallocated
10: 02:00 0006602778 0009446219 0002843442 Linux (0x83)
11: Meta 0009446220 0010426184 0000979965 DOS Extended (0x05)
12: Meta 0009446220 0009446220 0000000001 Extended Table (#3)
13: ----- 0009446220 0009446282 0000000063 Unallocated
14: 03:00 0009446283 0010426184 0000979902 Linux Swap / Solaris x86 (0x82)
15: Meta 0010426185 0010940264 0000514080 DOS Extended (0x05)
16: Meta 0010426185 0010426185 0000000001 Extended Table (#4)
17: ----- 0010426185 0010426247 0000000063 Unallocated
18: 04:00 0010426248 0010940264 0000514017 Linux (0x83)
19: Meta 0010940265 0016771859 0005831595 DOS Extended (0x05)
20: Meta 0010940265 0010940265 0000000001 Extended Table (#5)
21: ----- 0010940265 0010940327 0000000063 Unallocated
22: 05:00 0010940328 0016771859 0005831532 Linux (0x83)
23: ----- 0016771860 0016777215 0000005356 Unallocated

We see that it is five partitions in the disk image.

First we’ll find the filestructure of the probable root directory to get an overview of the system. This is for finding the fstab, which will give us an easy way to see the partition structure of the system. This is normally found at block 63, but we’ll verify it by using the filename layer tool fls (filename list).

$ fls -o 63 image.dd

This gives us what we want and we can carve the partition using DCFLDD.

$ dcfldd if=image.dd of=p.img hash=md5,sha256 hashlog=partition.p.hashlog bs=512 skip=690795 count=16081065

Now I’ll assume you know how to mount the image. You will find the partition structure in the same file that the system uses, in:

/etc/fsstab

This shows that the home directory is in a separate partition. A bit of fls-ing gets us to extract the following part of the image:

$ dcfldd if=image.dd of=image.home.img hash=md5,sha256 hashlog=image.p.hashlog bs=512 skip=0010940328 count=0005831532

Mounting it brings joy, and the home directories.

Now you know how to carve partitions from a raw image.