Mounting DD Images for Forensic Analysis

I have created disk images for forensic purposes (artifact analysis and such). The questions is: given a "dd" image created from the whole, raw device, how do I mount individual partitions?

Let's say that the device I want to analyze resides in /dev/sdc, and that I have some large storage mounted under /mnt/largedisk and that I have cread the forensic image using the following command:

# dd if=/dev/sdc of=/mnt/largedisc/mycopy.dd bs=512

When this command ends (it can take up to several hours depending on the size of the disk being imaged), I will have a file that is an exact byte-bye image of the raw device.

In my case, /dev/sdc had two partitions. I was able to mount them using the following command:

# mount -o ro,loop,offset=32256 /mnt/largedisc/mycopy.dd /mnt/dir1

I am using the loop device and the flag "ro" makes sure that the mount will be read-only (a must when doing forensics). The only difficulty here is the number "32256". How did I get it? Simple: use "fdisk" to view the partition layout and use the "start cylinder" value (in my case 63) multiplied by the sector size (usually 512 bytes), and use the result as offset.

How do I use fdisk on a dd image? Simple also:

# sfdisk -l -uS /mnt/largedisc/mycopy.dd

Be careful when copying the large numbers that will result when mounting the rest of the partitions.

---

ts: 1273009233