THE ENHANCED LINUX LOOPBACK DEVICE

Implementation

Most newer versions of Linux come with the loopback device compiled in the kernel with the utilities included in the base install. If your system does not have the loopback device installed, refer to your distribution's instructions for installing it. The bundle can be found at a publicly accessible FTP server located at ftp://ftp.hq.nasa.gov/pub/ig/ccd/ enhanced_loopback/ . You must undergo two installations to capture the enhanced functionality. One installation will update the kernel to a newer modified kernel, and the other will add the tools necessary to use the added benefit found in the installed kernel.

After the loopback tool kit has been installed, the real magic begins. Using the same evidence file used in the previous section (disk.bin), you can mount the source data found in the Windows 98 partition using losetup in the same fashion without an offset. The additional -r flag to losetup allows the evidence file to become read-only, which is always a good safety measure to put in place. After the evidence file has been associated with the /dev/loop0 device file, type dmesg at the prompt to display the partitions found in the evidence file. Simply mount the partitions as you would with any physical hard drive. In this scenario, the partitions begin to fill out the other loop devices with increasing device file minor numbers . For example, the first partition is now /dev/loop1, the second is /dev/loop2, and so on. The process can be viewed here:

 forensic# losetup /dev/loop0 /mnt/storage/disk.bin forensic# mount -o ro /dev/loop0 /mnt/evidence forensic# ls /mnt/evidence 

When you are finished analyzing the evidence, the following commands will break the association created in the preceding commands:

 forensic# cd /mnt/storage forensic# umount /mnt/evidence forensic# losetup -d /dev/loop0