How to mount lost partitions from a disk image without repairing

I came across a hard disk with a corrupted MBR. In other words, I found a hard disk that lost all of its partitions but files and folders are still there. Tool of my choice in this kind of cases is TestDisk.

Instead of repairing the disk directly, I took an image of the whole disk using “dd” because backup is important.

$ sudo dd if=/dev/sdb of=/data/sdb.img
$ sudo chmod -w /data/sdb.img

TestDisk’s quick analysis indicated two partitions, but deep analysis indicated more. This is what led me to experiment with the disk image first before repairing it. I wanted to try read-only mounting these lost partitions without repairing the disk or image. I chose not to repair so I could reuse the same image over and over for experimentation.

As I learned from various sources, here’s how to mount a single partition from a disk image.

$ sudo fdisk -lu /data/sdb.img    # find sector size and partition start boundaries
$ sudo mount -o loop,ro,offset=n /data/sdb.img /mnt    # where n = sector size * start boundary

This works for healthy disks. But when there’s no partitioning information? fdisk utility has nothing to show.

Well, we can get that information from TestDisk. But you’ll need to do some math because TestDisk uses CHS notation to show partition boundaries instead of sectors.

Here’s an example ‘testdisk-detected’ partition table (interesting information in bold text):

Disk /data/sdb.img - 320 GB / 298 GiB
 CHS 38914 255 63 - sector size=512
Disk /data/sdb.img - 320 GB / 298 GiB - CHS 38914 255 63
     Partition               Start        End    Size in sectors
>D HPFS - NTFS              0   1  1  6373 254 63  102398247
 D HPFS - NTFS           6373 166  1 19121 224 63  204800337
 L HPFS - NTFS          19121 226  1 38911 254 63  317928177

I learned that we need to convert CHS to LBA using the formula explained here.

(C * TH * TS) + (H * TS) + (S - 1) = LBA
where TH = Total heads, and TS = Total Sectors

With that, let’s simplify the formula specifically for our case…

(C * 255 * 63) + (H * 63) + (S - 1) = LBA
16065 * C + 63 * H + S - 1 = LBA
Since S = 1 for all partitions,

16065 * C + 63 * H = LBA

Let’s try mounting the third partition:

Start sector LBA    = 16065 * 19121 + 226 * 63
                    = 307178865 + 14238
                    = 307193103
Offset in bytes (n) = 307193103 * 512
                    = 157282868736

Here we go… 3…… 2….. 1……

$ sudo mount -o loop,ro,offset=157282868736 /data/sdb.img /mnt

That worked! 🙂 I’m sure this post will be useful for anyone who’s learning digital forensics.

Advertisements
How to mount lost partitions from a disk image without repairing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s