0

I have several dd images from a single drive. One of them is the swap. I mounted all of the images in Ubuntu just fine except for the image of the swap. This is how the dd images break down: hda8 is /, hda1 is /boot, hda6 is /home, hda5 is /usr, hda7 is /var, and hda9 is swap.

The command I used was: sudo mount -o loop,ro hda1.dd /mnt/Linux

I mounted each image in the order listed above so that it all appears as a single drive.

When I try to mount the swap image it fails with the error: dev/loop5 looks like swap space - not mounted. You must specify the file system type.

Any suggestions?

Todd7912
  • 3
  • 3
  • You don't "mount" swap space. What are you trying to do with an image of swap space? – Michael Hampton May 16 '16 at 02:15
  • It is part of the forensic image exercise from an original disk. I am attempting to add it for examiniation. – Todd7912 May 16 '16 at 02:17
  • 1
    Again it cannot be mounted. Either there is something important in this image and you may want a professional to look at it, or this is a learning exercise for tools like a hex editor and possibly Sleuth Kit. – John Mahowald May 16 '16 at 04:10

3 Answers3

1

For linux swap forensic you can work on the device itself and not mount it. You should have a look at swap_digger which will dump all swap strings and attempt to find cleartext passwords and other data in there.

martabac
  • 11
  • 1
0

Swap space does not contain a filesystem, therefore it is not mounted. Mounting a filesystem means making visible the file and directory structure so that you can navigate and manipulate files. But swap space does not contain files, its data is organized more like pages in memory, in other words raw data that the operating system/ memory management system knows about but the "mount" command does not.

Michael Martinez
  • 2,543
  • 3
  • 20
  • 31
0

You can use swapon hda9.dd

http://man7.org/linux/man-pages/man8/swapon.8.html

With this approach, eventual data remanence in swap file may be overwritten by the system, so if he purpose is to inspect the swap content, you should avoid this and see the content with an hex editor or other forensic tools.

Marco Marsala
  • 471
  • 3
  • 7
  • 14