Sunday, November 1, 2015

FireFox 41.0.1 Browsing session analysis - Mounting a dc3dd image

In the previous post we created a forensic copy of a disk using dc3dd, let's now mount that image.

Before mounting the image, let see what we can learn about the image from "fdisk -l"

sansforensics@securitynik:~/firefox-analysis$ fdisk -l securitynik-firefox.dc3dd

from the above we see a FAT 16 partition start at 32 and ends at 3915575. To get the actual starting point of the sector multiply the starting point of 32 by 512 which is a sector size.
if we multiply 32 x 512 we get 16,384.

Now that we have the actual offset of 16,384 l
et mount the partition.
sansforensics@securitynik:~/firefox-analysis$ sudo mount --read-only --options=loop,offset=16384 securitynik-firefox.dc3dd tmp/

Now we have executed the mount command, let's verify that the image has been mounted successfully
sansforensics@securitynik:~/firefox-analysis$ df -kh

So far so good. Now that we have the mounted drive, let's look at analyzing the various sql databases in the next file.

Other posts in this series:


No comments:

Post a Comment