Losetup: Transforming a Regular File into a Device on Linux

Typically, the investigator chooses to create a regular file that contains the forensic duplication performed with dd. It would be difficult to view the logical files that existed on the original source hard drive with only this file. Therefore, this regular file must be transformed into a special device file to emulate a hard drive. Once the regular file is transformed into a device, the investigator can analyze the source file system just like the original hard drive. The losetup tool performs this transformation on Linux. (The lo in losetup stands for local loopback and therefore makes a regular file mountable, just as any hard drive could be.)

Implementation

The following options are available for losetup usage:

forensic# losetup usage:   losetup loop_device                                      # give info   losetup -d loop_device                                   # delete   losetup [ -e encryption ] [ -o offset ] loop_device file # setup

Because we will not be using any encryption during the forensic analysis, the encryption options are ignored. This makes the usage of this tool simple. We first designate the device file that will be associated with the forensic duplication evidence file. In Linux, the files used are /dev/loop#, where # is a number from 0 through 9. (The choice of the number is arbitrary and user defined.) To make the first loopback device associated with an evidence file, the following command line works best:

forensic# losetup /dev/loop0 /mnt/storage/disk.bin

The following command demonstrates the losetup command in action. The hard drive was imaged using dd from a source drive attached to /dev/hdb, and the evidence file was stored at /mnt/storage/disk.bin. The file was associated with the /dev/loop0 device file using losetup with an offset of zero. When fdisk analyzed the disk, it was reported that the Windows 98 partition we are interested in investigating starts at logical sector 64.

forensic# if=/dev/hdb of=/mnt/storage/disk.bin conv=notrunc,noerror,sync bs=1024     20043922+0 records in 20043922+0 records out     forensic# losetup /dev/loop0 /mnt/storage/disk.bin     forensic# fdisk -l /dev/loop0     Disk /dev/loop0: 1 heads, 40087844 sectors, 1 cylinders Units = cylinders of 40087844 * 512 bytes          Device  Boot  Start  End    Blocks Id  System /dev/loop0p1   *       1    1  20041056  c  Win95 FAT32 (LBA) Partition 1 has different physical/logical beginnings (non-Linux?):   phys=(0, 1, 1)  logical=(0, 0, 64) Partition 1 has different physical/logical endings:   phys=(1023, 254, 63) logical=(0, 0, 40082175) Partition 1 does not end on cylinder boundary:   phys=(1023, 254, 63) should be (1023, 0, 40087844)

To mount the Windows partition, we must use an offset of 32256, which is 63 sectors times 512 bytes per sector. The offset is designated by the -o option when running the losetup command. The following demonstrates specifying the correct offset and then mounting and viewing the contents from the /mnt/storage/disk.bin evidence file at /mnt/evidence (/mnt/evidence must, of course, exist first!):

forensic# losetup -o 32256 /dev/loop0 /mnt/storage/disk.bin forensic# mount -o ro /dev/loop0 /mnt/evidence forensic# ls /mnt/evidence

After the evidence image has been mounted in a read-only state, it can be analyzed just as if the original source media was inserted without the possibility of destruction to the evidentiary value of the original. In the scenario viewed in the preceding output, the file /mnt/storage/disk.bin was changed to read-only by using the chmod command with the permissions of 400. Furthermore, another method to assure that the file is not modified when it is mounted is by using the read-only -o ro option with the mount command.