I wasn't sure where to put this thread but since i use ubuntu for data recovery, I figured this is the best place. So, a friend passed me a 250G Western Digital hard disk the other day and said that his client needs to get her pictures off it. the problem: windows says it wants to reformat the system. so i put in my linux disk and had a look.
when i ran dmesg as root shortly after connecting the drive it gave the output in dmesg.txt i attached
I looked at the original drive with fdisk -l. I have made an image that I will be working with.
I had the same output when i used sfdisk on the image.
mount -o loop to /mnt fails it wants me to specify a filesystem and when i do it spits out a dmesg tail error.
is there anything else i can try like specifying an offset?
root@arumator--net:/home/arumator# mount -o loop /media/250189482C661005/recovery_image.img /mnt -t vfat
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
I need to mount the image sorry if i wasn't clear. i currently don't have the drive on me if I try mounting the image without the -o loop option it says its not a block device. this is the output from the dmesg | tail
root@arumator--net:/home/arumator# dmesg | tail
[26873.008861] sd 8:0:0:0: [sdb] Mode Sense: 23 00 10 00
[26873.008864] sd 8:0:0:0: [sdb] Assuming drive cache: write through
[26873.014885] sd 8:0:0:0: [sdb] Assuming drive cache: write through
[26873.014896] sdb: sdb1
[26873.037861] sd 8:0:0:0: [sdb] Assuming drive cache: write through
[26873.037868] sd 8:0:0:0: [sdb] Attached SCSI disk
[26873.557114] UDF-fs: Partition marked readonly; forcing readonly mount
[26873.559232] UDF-fs INFO UDF: Mounting volume 'WD SmartWare', timestamp 2009/11/13 20:34 (1f10)
[37695.928682] FAT: invalid media value (0xb9)
[37695.928687] VFS: Can't find a valid FAT filesystem on dev loop0.
I created this image with backtrack 4 release 2 using the AIR imager. the block size was set to 512. it is one big image with all the partitions on it.
I have no idea whether you'll be able to mount an image made by backtrack disk manager, it might not be raw. In any case you can't mount something that's not a partition, and that's not, it's an entire disk. Try '/sbin/fdisk -ul ./image-filename' to see if it finds the partitions on it.
I recommend that you start again. This time do logical imaging (i.e. by filesystem) rather than physical drive imaging. The standard free (as in beer) tool for doing this in the computer forensics world is dcfldd (DOD Computer Forensics Lab) dd.
If you do not want to start again you can use the mmls utility (may need -t dos option) to extract metadata for the relevant logical partition from the physical image. You can then use dcfldd skip=start_sector count=lenght bs=512 to extract the logical partition from the physical image.
Then, if partition is NTFS as is likely, use
mount -t ntfs -o ro,noexec,loop,show_sys_files partition.img /mnt
Both dcfldd and mmls are available for download on the Internet. mmls is part of TSK (The Sleuth Kit.) dcfldd is available on SourceForge.
It's already been described as a whole disk though -- so it's almost certainly not a filesystem. If it's a plain raw dump he could use offset-tricks to mount partitions in it, otherwise he'll need to convert it somehow first.
---------- Post updated at 08:28 AM ---------- Previous update was at 08:25 AM ----------
You can mount part of a file as a partition when mounting in linux with -o loop. Wish I'd known that years ago, could have done that instead of making a vmware virtual machine.
mount -o loop,ro,offset=offset-in-bytes,sizelimit=length-in-bytes -t filesystemtype ./huge-wad-of-partitions.img