June 13, 2011, 7:05 a.m.
posted by newmy
Just as losetup allows you to transform an evidence file created from a forensic duplication into a device for analysis, the vnode capability of FreeBSD lets you accomplish the same task. The vnode device in FreeBSD associates the regular file with an abstract device designated as /dev/vn#, where # denotes the number of the device, which is arbitrary and user defined. After you associate the evidence file with the vnode device using the vnconfig utility, you can mount or analyze the newly created special file as you can an actual hard drive.
Mounting a file system provides only a logical view of the source file system. Although every bit is available through the loopback device, no tools are available with the base installation of Unix operating systems to view the deleted files quickly from the file system.
To compile in support for the vn, you must add a line similar to the following to your kernel configuration file:
The command-line options for vnconfig are as follows:
forensic# vnconfig usage: vnconfig [-cdeguv] [-s option] [-r option] [-S value] special_file ¬ [regular_file] [feature] vnconfig -a [-cdeguv] [-s option] [-r option] [-f config_file]
The following command demonstrates associating an evidence file created from a source hard drive with a special device file, /dev/vn0, to mount it as a regular file system:
forensic# vnconfig /dev/vn0 /mnt/storage/disk.bin forensic# fdisk /dev/vn0 ******* Working on device /dev/vn0 ******* parameters extracted from in-core disklabel are: cylinders=2495 heads=255 sectors/track=63 (16065 blks/cyl) Figures below won't work with BIOS for partitions not in cyl 1 parameters to be used for BIOS calculations are: cylinders=2495 heads=255 sectors/track=63 (16065 blks/cyl) Media sector size is 512 Warning: BIOS sector numbering starts with sector 1 Information from DOS superblock is: The data for partition 1 is: sysid 12,(DOS or Windows 95 with 32 bit FAT, LBA) start 63, size 40082112 (19571 Meg), flag 0 beg: cyl 0/ head 1/ sector 1; end: cyl 1023/ head 254/ sector 63 The data for partition 2 is: <UNUSED> The data for partition 3 is: <UNUSED> The data for partition 4 is: <UNUSED>
After the evidence file has been associated with a virtual node, you can use all the commands that manipulate files on the device. Of course, you should install preventative measures to protect against modification of the evidence file. The simplest measure is to change the evidence file to read-only using the chmod 400 <filename> command before it is associated with a virtual node.
The next command demonstrates mounting the duplication of the Windows source media in FreeBSD: