From CedarLUG - The Cedar Valley Linux Users Group
Contents |
Accessing BSD partitions inside of a raw disk image
Suppose that you need to do a little forensics on a BSD system that was compromised or you just need to get files off of that dd that you did of that FreeBSD server a while back. How do you mount the FreeBSD disk partitions given a raw dd of the disk, when you're a Linux Professor like myself?
Answer: mount with offsets.
Scenario
Here's the setup:
- You have a whole disk image of a drive that was generated using 'dd'
- The disk image consists of a BSD variant
- You want to access the partitions of the BSD system
The first step is to figure out where the BSD partition begins. Assuming that the raw (whole) disk image is called "cdc-fbsd-web-2011.img," fire up parted using the file as the target, change units to bytes, and print the partition information:
terabox:/backups/CDC-2011# parted cdc-fbsd-web-2011.img GNU Parted 1.8.8 Using /backups/CDC-2011/cdc-fbsd-web-2011.img Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) unit Unit? [compact]? B (parted) print Model: (file) Disk /backups/CDC-2011/cdc-fbsd-web-2011.img: 21474836480B Sector size (logical/physical): 512B/512B Partition Table: msdos Number Start End Size Type File system Flags 1 32256B 21467980799B 21467948544B primary boot (parted)
Note the "Start" entry. In the above listing, the start address falls at 32256. This is where the BSD image begins, so let's start by mounting the disk image using mount and offsets:
mount -o ro,offset=32256,ufstype=ufs2 -t ufs cdc-fbsd-web-2011.img /mnt
Note that the filesystem specified is type "ufs", and the additional option to mount is that the particular variant of ufs that we're dealing with is "ufstype=ufs2". Key in also on the offset parameter, which is what we gleaned from the parted output above.
From this we are able to access the files on the partition:
terabox:~# ls /mnt bin compat dist home media public_html sbin usr boot COPYRIGHT entropy lib mnt rescue sys var cdrom dev etc libexec proc root tmp terabox:~#
Surely this approach won't work with a Windows disk image, right? Sure enough, it works splendidly with NTFS partitions as well.
Metagoofil Doesn't Download Documents
Recently (with the understanding that "recently" is completely dependent upon the date when you actually read this), Google changed the way that it displays search results. Whether this is "A Good Thing(tm)" or not is always debatable, but the immediate consequence is that Metagoofil's ability to download documents returned in the usual Google search query was broken.
This is easy to fix. Metagoofil's compiled regular expression is no longer accurate. To fix this in Metagoofil 1.4b, change the regular expression in the python code around line 184 of the code from:
r1 = re.compile('><a href="([^"]+.'+file+')"')
to
r1 = re.compile('/url\?q=(.+?'+file+')')
There's likely a better regular expression to use here, but in case you've been searching and searching for things like "Metagoofil won't download documents" and have come up empty, this will at least nudge you past the downloading issue.
This hickup was discovered and resolved in the course of code analysis in the System Security Course at the University of Northern Iowa, and the solution can be attributed to Scott Smart. Thank you Scott.
qmail with TLS/SMTP-AUTH and Debian Packaging
Whenever possible, you should stick to the package management system of the local system. Period. If there's a package available and you choose to install the same software from source, you are asking for trouble.
Enter qmail. qmail is an awesome choice for all your mail needs. But qmail is somewhat ostracized (justifiably so) by Debian-based distributions because of its license. The trade-off is that qmail is packaged in Debian as a source + build-scripts paradigm. So what do you do when you want to adhere to the Debian package management system but integrate extra functionality into qmail? Here's how to build a Debian package with support for TLS+SMTP-Auth:
First, search elsewhere for how to get and build ucspi-tcp. That's not covered here because, as the title of this section would imply, you can already find that through Google.
Next, grab the qmail debian source package:
apt-get install qmail-src
When the package is installed, issue "build-qmail" to start the building of a Debian qmail package.
The qmail-TLS patch capability is what I was looking to integrate, but it needs to be integrated so as to be able to mesh with the Debian package management. So here's the hack that I did that allowed me to build an installable qmail_1.03-47_ARCH.deb package:
First, issue
build-qmail
Next, specify the directory for the source file when prompted.
Thirdly, When you see the following:
Patches already applied can be found in the patches/ directory where the qmail-src package was extracted. This can take long time, depending on your machine Press ENTER to continue...
hit cntl-z to get the prompt back. Change to your qmail source directory (where you pointed it to earlier, or /tmp/qmail if you didn't specify anything), and apply this debian-tls.patch or this debian-tls-auth.patch.
After the patch applies without any rejections, resume the build with "fg" and hit return. When all is done, you'll have a debian qmail binary package for your architecture dropped in your qmail source build directory.