Programmatically extract files from dd image in C

Question

I have a few dd images and I wanted to know the best way of extracting files out of these using C. The images are of mixed file systems (fat32, ntfs, ext2/3) and the host machine doing the extraction would be an Ubuntu box, so you can assume kernel headers and GNU C library, etc.

Natively would be best, but external libraries that do the job would also be fine. A link to an example would be perfect.

Answer 1

Look at The Sleuth Kit, which should work with all of the file system types you listed:

The original part of Sleuth Kit is a C library and collection of command line file and volume system forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown. It runs on Windows and Unix platforms.

The Sleuth Kit's existing toolset is a great place to start if you're looking for sample code to work from.

Answer 2

Check out:

• ext2fuse or fuse-ext2 projects, they contain some ext2/ext3 implementations on user space using FUSE.
• ntfs-3g, an NTFS implementation also using FUSE.
• FUSE itself, as there are lots of filesystem implementations on top of it.

Answer 3

Why programatically with C?

sudo mount -o loop,offset=[offset] -t auto [where] [what]

Where

offset is the offset in bytes from the beginning of the disk, in bytes

where is where on the current filesystem to mount the image

what is the disk image you're mounting

Answer 4

This is a significant effort. You'd have to essentially reimplement filesystem drivers for NTFS, FAT, and EXT2. I've done this for FAT and NTFS, but it took more than two years, though much of that was reverse engineering NTFS.

Consider using the file mount option of the mount command so you can use the Ubuntu filesystem drivers and not reinvent the significantly large wheel. Then you can peruse the mounted filesystems.