Mounting E01 images of physical disks in Linux Ubuntu 12.04

Carlos Cajigas MSc, EnCE, CFCE, CDFE, A+

The E01 image format, also known as the Expert Witness Format or the EnCase

Image Format is perhaps the de facto standard for forensic analysis. Is it a format owned by

Guidance Software containing a bitstream of an acquired disk, case information, checksums

for every block of 64 sectors, and a footer with an MD5 hash for the entire bitstream. The

E01 format allows for compression which lessens the number of image files generated during

the acquisition process and saves space.

If the E01 format is your preferred format for acquiring media, then you have noticed

that mounting the volumes contained in an E01 image always requires that one extra

conversion step. In Linux, the program Xmount is the solution. Xmount allows you to convert

on-the-fly between multiple input and output hard disk image types. In other words, Xmount

can take an E01 and magically make it appear as a DD on the other end, all while maintaining

the integrity of the data.

Xmount can also turn an E01 into a VDI (Virtual Box Disk), and redirect writes to a

cache file. This makes it for example, possible to use Virtual Box to boot an Operating

System contained in a read-only E01 image. Converting an E01 into a Virtual Machine is

beyond the scope of this article.

Today we will discuss the steps required to convert an E01 into a DD, on-the-fly, and

then mounting the volume inside of the DD. For the purposes of this article I used an

examination computer with Ubuntu 12.04 installed on it.

The Goal:

The ultimate purpose of mounting the volume inside of the image is to make the

volume accessible to software. While forensic software can read an E01 directly, other

software might need access to the volume’s directory structure or files. For example, a virus

scanner will need access to the entire directory structure, while a registry viewer will need

direct access to the registry hives themselves.

Installing the tools:

All of the tools that we will use are either included in Ubuntu by default, or can be

downloaded from the Ubuntu Software Center. The tools that we will need to accomplish this

task are Mount, Md5sum, and Xmount. Mount and Md5sum come pre-installed in Ubuntu, so

let’s head over to the Ubuntu Software Center for Xmount.

Click on the Dash Home circle, located on the top left of your screen, type in “software”

and click on the Ubuntu Software Center icon that will appear.

After the Ubuntu Software Center opens, you will see a search box on the top-right

corner of your screen. Type “xmount” and click on the install button. You will be prompted for

your root password. Enter your root password and wait for the program to install.

Now that we have the program that we need, close the Ubuntu Software Center. The

next step is to prepare a working folder for our image. Go to your desktop, right click on your

desktop and select “create new folder”, name it “Test”.

Now find an E01 that we can mount. Find an image of an operating system, the

smaller the better, and copy it to your “Test” folder. For the purposes of the article, I used a

previously acquired E01 of a Windows 7 installation that I use for testing.

The details of the image are the following:

Notice that the size of the media was 11,535,384,576 bytes, about 11.5 GB. Also

notice that during the acquisition I used best compression. At the time of acquisition, my test

image compressed down to about 2.7 GB, split into 1.5 GB chunks. Splitting the image into

chunks resulted in the image being spanned into two segments. The md5 of the image is

f4c1d94908b15203b9cee0d8f189cf12. This MD5 should not change at any point.

Ok, here we go! Open a Terminal Window. In Ubuntu you can accomplish this by

pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal”.

Once the terminal window is open, we need to navigate to the previously created Test

folder on the desktop. We will use the CD command to change directory into the desktop.

Type the following into the terminal.

cd /home/carlos/Desktop/Test/

Replace “carlos” with the name of the user account you are currently logged on as.

After doing so, press enter.

The dollar sign after Test indicates that “Test” is your current directory, exactly what we

wanted. Let’s see if we have the image in our current directory. For that we will use the LS

command, which stands for list (files). Type “ls” and press enter.

Notice that we are in the test directory and yes, we do have the image in our directory.

We are almost ready to mount the image with Xmount. But before we do that, we need to

designate a location where we can temporarily mount the image. To do that we need to

create a mount directory. To keep things simple, let’s create a directory called “xmount” in the

root of the mnt folder. We will accomplish this with the following command.

sudo mkdir /mnt/xmount

Mkdir is the command that makes directories. The mnt folder is a good place to create

temporary mount points. Sudo gives fdisk superuser privileges for the operations. Press

enter and type your root password (if needed). If everything worked and you get your cursor

back without errors, then you can assume that the command that you entered was carried out

as ordered.

Now we can use Xmount to mount the E01 into the /mnt/xmount directory. We will

accomplish it with the following command

sudo xmount --in ewf Windows7NTFS.E?? /mnt/xmount/

Explanation: You have to specify all image segments. In this example we have more

than one segment so we must use “E??” as the file extension, to specify the segment files.

Also, replace “Windows7NTFS” with the name of your image. Press enter and type your root

password (if needed).

If everything worked and you get your cursor back we can move on. Change directory

into the /mnt/xmount directory with the below command, followed by enter.

cd /mnt/xmount/

I got these results.

Type “ls -l” and press enter. LS is the list files command. The flag -l uses a long listing

format

Notice that our E01 has been “magically” converted to a DD, on-the-fly. Before we

move any further, let’s verify the integrity of the data. Converting the E01 to a DD should not

have changed any of the data in our image. The best way to confirm this, is by conducting an

md5sum of the data. Type the below command into the terminal (with the name of your DD),

press enter. The larger your image, the longer you will have to wait.

md5sum Windows7NTFS.dd

Mine took about five minutes to verify.

Notice that the md5 matches. Now we can move on to the final step of mounting the

volume(s) inside of the image. Even if your image has multiple volumes inside of it, you will

be able to mount any of them, one at a time. To mount the volume of your choice from within

the image you will need to specify an offset to the volume into the image file. You can get this

offset by running fdisk against the image to obtain the starting sectors for each volume. Type

the below command into the terminal and press enter, type your root password (if needed).

sudo fdisk -l Windows7NTFS.dd

Fdisk is a partition table manipulator for Linux. The flag -l lists the partition tables for

the specified devices. These are my results.

Notice that the NTFS volume inside of my DD starts at sector 2048. The offset must

be specified in bytes, so now you must take the starting sector offset, in this instance 2048,

and multiply it by 512 bytes. From this we obtain 1048576. We now have the information that

we need to mount the volume inside on the image. But before we do that, we need to

designate a location where we can temporarily mount the volume. To do that, we need to

create another mount directory. To keep things simple, let’s create a directory called DD in

the root of the mnt folder. Type the below command into the terminal and press enter, type

your root password (if needed).

sudo mkdir /mnt/dd/

Again, if you got your cursor back then everything went well. The DD directory was

created at /mnt/dd and your current directory is still /mnt/xmount.

We finally get to mount the mount the volume inside of the DD. Mount the volume with

the below command.

sudo mount -t ntfs -o ro,offset=1048576 Windows7NTFS.dd /mnt/dd/

Mount is the command to mount a filesystem. The flag -t tells mount which filesystem

you are mounting, which in this case in an NTFS filesystem. The -o flag specifies the options

for mounting. In this instance we opted to mount it as a “ro” read-only file system and we also

told mount to look at byte offset 1048576, which is the beginning of the volume. The options

following the -o flag must be separated only by a comma. Press enter, type your root

password (if needed).

Now navigate to the DD directory. We will again use the CD command to change

directory into the DD directory. Type the following into the terminal and press enter.

cd /mnt/dd/

I got these results.

Type “ls -l” and press enter. The flag -l uses a long listing format.

carlos@XPS-M1330:/mnt/dd$ ls –l

There you have it. Now your volume is mounted in a read-only mode available for any

action that you deem necessary. You can continue in the terminal or navigate the directory

structure through Nautilus. You can copy out files, conduct virus scans, browse registry files,

or anything else that your investigation calls for.

Finishing touches... To unmount the volume, cd into your home folder with the command cd and enter, followed by the below command. Note: The unmount command in terminal is actually spelled umount (without the n).

sudo umount /mnt/dd/

Now that the volume is unmounted, let’s conduct one last test. Cd back into you

xmount directory and conduct another md5sum to confirm that your DD did not change

The md5 still matches.

If this procedure worked for your case, and you are able to use it in the course of your

investigation, we would like to hear from you. Please post your comments or email the author

of this article at carlos@epyxforensics.com