SANS Digital Forensics and Incident Response Blog: Tag - superblock

Mounting Images Using Alternate Superblocks

[Editor's note: Due to changes in the Linux file system drivers, Hal has posted an update to this post at https://blogs.sans.org/computer-forensics/2009/10/05/mounting-images-using-alternate-superblocks-follow-up/.]

Mounting Unix file system images is a common investigative technique, because it allows examiners to use standard file system tools (e.g., find, grep) to look for evidence. However, sometimes you run into difficulties:

# mount -o loop,ro dev_sda2.dd /mnt
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so

So what's going on here? Well, let's try the dmesg command suggested in the above error message:

# dmesg  

...