Mounting Images Using Alternate Superblocks

[Editor's note: Due to changes in the Linux file system drivers, Hal has posted an update to this post at]

Mounting Unix file system images is a common investigative technique, because it allows examiners to use standard file system tools (e.g., find, grep) to look for evidence. However, sometimes you run into difficulties:

# mount -o loop,ro dev_sda2.dd /mnt
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so

So what's going on here? Well, let's try the dmesg command suggested in the above error message:

# dmesg