10

Say I have a disk image (possibly partitioned) that I have permission to read. However, I don't have permission to mount it via loopback*. In theory, the data is all there; I could write code that resembles the Linux kernel's, partition editors and mount's own code to parse the image, look for partitions, interpret the filesystem and extract a file. But does such a tool already exist for GNU/Linux systems?

*Really, I'm in the position of writing tools to deal with it, and I don't want to (a) assume that the user of those tools can sudo and (b) require them to sudo where it might not be necessary.

(If the answer changes depending on filesystem, ext2-4 is more important to me. But answers that cover multiple popular filesystems will be preferred.)

detly
  • 5,160

2 Answers2

9

7z (from p7zip) can unpack disk and filesystem images from many but not all common VM disk image, partitioning schemes, and file formats. https://www.7-zip.org/ has the list (and can be used from Windows - p7zip being the Linux/Posix port)

Note that it's usually a two step process:

$ 7z l [raw HD image file]

Path = [raw HD image file]
Type = MBR
Physical Size = 42949672960


Date      Time    Attr         Size   Compressed  Name




                .....    104857600    104857600  0.ntfs
                .....  42842718208  42842718208  1.ntfs
                .....      1048576      1048576  2





                       42948624384  42948624384  3 files

Next step:

$ 7z x [raw image file] 0.ntfs
Extracting archive: [raw Image file]

Finally

$ 7z l 0.ntfs

Scanning the drive for archives:
1 file, 104857600 bytes (100 MiB)


Listing archive: 0.ntfs


--
Path = 0.ntfs
Type = NTFS
Physical Size = 104857600
Label = System Reserved
File System = NTFS 3.1
Cluster Size = 4096
Sector Size = 512
Record Size = 1024
Created = 2013-09-10 16:20:30
ID = 591300999067013540


Date      Time    Attr         Size   Compressed  Name




2013-09-10 16:20:30 ..HS.       262144       262144  [SYSTEM]/$MFT
[Lots of files]
2013-09-10 16:23:30 .RHSA         8192         8192  BOOTSECT.BAK




2014-10-14 16:35:50           23880514     23957604  56 files, 31 folders
2013-09-10 16:20:30            1314956      1318920  3 alternate streams
2014-10-14 16:35:50           25195470     25276524  59 streams
nke
  • 91
4

ext[234]

If in the root directory of /dev/whatever is a file foo:

debugfs -f <(echo cat /foo) /dev/whatever | tail -n +2 > /restore/file

general approach

A general approach would be to create a VM with two disk drives (files in raw mode), one being the image (given to the VM read-only) and another one for restoring the file (if you cannot use networking for transferring it).

You should be able to boot from the image (if not: create a VM with three disk drives, one for booting) and thus be easily capable of accessing the filesystem.

As you cannot mount you have to write the data in some form which is recognizable without a filesystem, e.g.

tar -cf /dev/vdc /etc/passwd

On the host you can simply read the image file:

tar -xf imagefile.img

tar recognizes the end of the archive and ignores the rest of the file.

Hauke Laging
  • 90,279