Disk-Imaging

From wikipost
Jump to navigation Jump to search

At some stage you may want to take a snapshot image of a complete disk drive, including boot sector. There are various ways of doing this but this page lists my preferred tools to do the job.

All these tools require the disk to be fully accessible (i.e. don't have the operating system running on the disk you want to image)

Beware that if Windows doesn't understand a filesystem (ext2, ext3, etc..) it will prompt you to 'Initialise' (FORMAT!) the disk. This is almost never what you want, so cancel whatever windows throws at you in these cases.


Take a disk image

  • on Linux

Using dd (usually already installed on most Linux systems)

- find out what the disks are called by doing a cat on /proc/partitions

- use the device name without partitions to use the whole disk (assumes MBR) (e.g. /dev/sdb)

dd if=/dev/sdb of=/data/mydiskimage.dd bs=1M


  • on Windows

Using Win32DiskImager (freeware), download from here: http://sourceforge.net/projects/win32diskimager/ (size: about 12MB)

- pretty simple to use

- most often already selects external media by drive letter.

- Don't worry if windows doesn't show you all partitions as it probably can't read them (ext2, ext3, etc..)


Using dd (freeware), download from here: http://www.chrysocome.net/dd

- command-line utility, so open a DOS box first.

- Similar syntax should apply here as per the dd command used in Linux

- Find out disk name information using the --list argument (see above website)

Restore a disk image

  • on Linux
dd if=/data/mydiskimage.dd of=/dev/sdb bs=1M


  • on Windows

Using dd (freeware), download from here: http://www.chrysocome.net/dd (size: about 200kB)

- command-line utility, so open a DOS box first.

- Similar syntax should apply here as per the dd command used in Linux

- Find out disk name information using the --list argument (see above website)


Using Win32DiskImager

- pretty simple to use, most often already selects external media by drive letter.


If the target disk is smaller than the original disk

If the target disk you want to restore an image to is smaller in size than the original disk you took the image from you will run into some error messages telling you that the original image is too big. The dd command will simply throw some warning messages but tries to do as much as possible. However Win32DiskImager will not even do this. Read on if you really need to use Win32DiskImager to restore the image.

From this point on I will just assume that you understand the dangers of possible data loss, etc..

To truncate the image so you can use Win32DiskImager to restore to a smaller disk you simply create a new image from the existing image but read less data from it. We can do this with the dd command as follows:

dd if=/data/bigimage.dd of=/data/smallimage bs=1M count=xxxx

..where count=xxxx is the number of Megabytes that will fit on the smaller target drive. You may need to experiment with this to minimise the loss of data while still being able to fit it on the smaller disk.

Look inside a disk image

  • on Linux

Using mount (usually already installed on most Linux systems)


Before we can mount a partition that's inside a dd image we need to know the disk layout. If we still have the original disk handy at /dev/sdb we can simply issue:

fdisk /dev/sdb -l

Disk /dev/sdb: 3.7 GiB, 3951034368 bytes, 7716864 sectors
Disk model: STORAGE DEVICE  
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x000714e9

Device     Boot  Start     End Sectors  Size Id Type
/dev/sdb1         8192  122879  114688   56M  c W95 FAT32 (LBA)
/dev/sdb2       122880 7290879 7168000  3.4G 83 Linux

However, if the dd image is the only thing you have then you'll have to tell fdisk to look at the dd image rather than a device, like so:

fdisk myimage.dd -l

Disk myimage.dd: 3.7 GiB, 3951034368 bytes, 7716864 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x000714e9

Device         Boot  Start     End Sectors  Size Id Type
myimage.dd1           8192  122879  114688   56M  c W95 FAT32 (LBA)
myimage.dd2         122880 7290879 7168000  3.4G 83 Linux

Same thing.

In order to mount a specific partition within a dd image we can invoke the 'mount' command with an 'offset' parameter. This offset is used to skip a number of Bytes within the dd image to jump to the beginning of a partition. Fdisk lists each partition offset in sectors in the 'Start' column. This number is the Sector number at which the partition begins. Now look closely in the output of the fdisk command and confirm the size of a sector, in the above example each sector is 512 bytes. If we now multiply the Start sector number by 512 Bytes we get the offset in Bytes where the partition begins.

For example, to mount the second partition in the above example we multiply 122880 x 512 = 62914560 to find the offset in Bytes. We can then issue the mount command as follows:

mount -o loop,offset=62914560 mydiskimage.dd /mnt



  • on Windows

Since Windows natively cannot read ext2 filesystems a third-party driver is required.

- grab the Windows Ext2Fsd driver (freeware) from here: http://www.ext2fsd.com/?page_id=7

- Downloading and running the Ext2Fsd-xxxx.exe is the easiest way. The file size is about 1MB

- tick all boxes to support read/write access and automatic loading of the driver at startup.


Since Windows does not know how to mount an image a third-party tool is required.

- grab OFSmount (freeware) from here: http://www.osforensics.com/tools/mount-disk-images.html

- Either use the 32-bit or 64-bit version depending on your version of windows. The file size is about 2MB


Once these programs are installed it is simply a matter of opening a partition of the image file with OFSmount and the ext2, ext3 directories will be mounted as a normal Drive-Letter in Windows. You can then use Windows (file) Explorer to navigate through the mounted image files and directories.

Make sure to unmount the image when done.