By Josh Wright
Yesterday, I started my yearly Epic Desk Cleanout. This annual ritual is more about holding up a trash can and sweeping everything into it. I really clean, which includes cataloging all the random SD cards I've collected throughout the year.
For SD cards, I'll typically
dd the contents of the drive to a Linux box, then examine the data from a shell. This year, a lot of those SD cards are Raspberry Pi images. I end up with a file system dump that I need to examine:
fdisk utility on Linux can read from a physical device, or from a data dump file:
fdisk reveals a few important tidbits about the binary image:
- The sector size (512 bytes)
- The partitions in the disk image including file system types
- The starting offset in sectors for the file systems
Using the sector size (512 bytes) and the start sector for the Linux file system (264192), we can use a little shell-fu to calculate the number of bytes to the beginning of the file system:
The Linux filesystem is 135,266,304 bytes into the pi.img file. Next, we create a mount point (I use
mnt from my current directory, but you can use any unused directory) and mount the image, specifying the number of offset bytes to the Linux partition:
Now it's just a matter of changing to the
mnt directory, and exploring the data.
1 SD drive down...1,978 to go.
SANS Note: Josh is teaching SANS SEC575: Mobile Device Security and Ethical Hacking in April 2017 at SANS 2017 in Orlando, FL.
Upcoming SANS Pen Test Training Opportunity: SANS Pen Test Austin 2017
- Choose from 9 hands-on, information security training courses
- Enjoy 3 nights of the popular InfoSec Challenge: SANS NetWars Experience
- Hone your skills during 1 night of exciting CyberCity missions
- Earn up to 5 of the SANS Pen Test Challenge Coins at Coin-A-Palooza
- Learn more: https://www.sans.org/event/pentest2017