Nerd Notes

/dev/brain: no space left on device

How to extract a filesystem from a disk image

with 11 comments

You need to backup an entire hard disk to a single file. Supposing your disk is at /dev/hda and the backup file is image-file, you’d do:

# cat /dev/hda > image-file

or

# dd if=/dev/hda of=image-file

The file backup you get will hold a copy of every single bit from the hard disk. This means that you also have a copy of the MBR in the first 512 bytes of the file.

Because of this, you can see the partition table on the backup file:

# sfdisk -l -uS image-file
Disk image-file: 0 cylinders, 0 heads, 0 sectors/track
Warning: The partition table looks like it was made
for C/H/S=*/255/32 (instead of 0/0/0).
For this listing I'll assume that geometry.
Units = sectors of 512 bytes, counting from 0
Device Boot Start End #sectors Id System
image-filep1 32 261119 261088 83 Linux
image-filep2 261120 4267679 4006560 82 Linux swap / Solaris
image-filep3 4267680 142253279 137985600 83 Linux
image-filep4 0 - 0 0 Empty

Now, suppose you want to extract partition number 3. You can see that it starts at block 4267680 and is 137985600 blocks long. This translates into:

# dd if=image-file of=partition3-file skip=4267680 count=137985600

Now, peeking into the contents of the partition is as easy as:

# mount -t ext3 -o loop partition3-file /mnt/hack

Update (30 June 2011): as someone cleverly suggested in the comments, you can avoid using dd to extract the partition file by passing the offset option to mount as explained in this blog post.

Advertisements

Written by Mirko Caserta

April 18, 2008 at 5:10 pm

11 Responses

Subscribe to comments with RSS.

  1. Cool hack! Thanks! :-)

    yk

    April 28, 2008 at 2:42 pm

  2. Thanks – this just completely saved my ass :).

    David Maas

    June 23, 2009 at 2:47 am

  3. Hi!
    question is:
    having a IMG file created via DD from a 16GB CF, how can i access to files from that IMG file? i mean, i do not want to fully extract the IMG to a filesystem or another HDD, i just wish to copy files included in that .IMG file? is this possible?

    Thanks in advance

    S

    November 16, 2009 at 4:50 pm

    • no.

      Name (required)

      June 17, 2011 at 8:55 am

      • Late response, but it’s necessary to negate the misinformation above.

        Yes, you can access the files without extracting them. You’ll use the mount command with -o loop,offset=#### where #### specifies the start of the partition as given by the sfdisk command.

        cprompt

        June 30, 2011 at 4:41 pm

      • Correcting myself here: You’ll need to multiply the block by the unit size when using the offset option. More info here: http://www.michaelboman.org/how-to/mounting-partitions-from-full-disk-dd-images

        cprompt

        June 30, 2011 at 7:35 pm

  4. Thanks, you saved me a lot of hours :)

    Rocky

    October 1, 2011 at 10:57 am

  5. I have a .dd image file, i need to extract the partitions off of it so I can analyse each partition for data. How can i do this, any help please…..

    Damian

    April 20, 2012 at 11:32 am

    • The two methods in the post should work. Since you already have an image file, skip the initial cat or dd command and use sfdisk to reveal the start and length of the partitions, and then use the dd command to copy that portion of the image. Or, you can mount directly using the alternate method. Is there some reason this is not working for you?

      cprompt

      April 20, 2012 at 12:05 pm

  6. and this?
    mount -o loop,ro,offset=$((4267680*512)) image-file /mnt/hack

    MrTAZ (@MrTAZ42)

    September 8, 2013 at 9:04 am

  7. The kpartx tool does most of these things for you. It mounts the partition in an image under /dev/mapper/.. and enables you to dd to your hearts content, without the need for (what will likely be mis-)calculations:
    https://packages.debian.org/search?keywords=kpartx

    jakob

    December 3, 2015 at 4:21 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: