Upload
carlos-cajigas
View
633
Download
4
Embed Size (px)
DESCRIPTION
Article describing the process of converting on the fly an e01 into a dd and then mounting the volumes inside of the dd using Linux Ubuntu 12.04
Citation preview
Mounting E01 images of physical disks in Linux Ubuntu 12.04
Carlos Cajigas MSc, EnCE, CFCE, CDFE, A+
The E01 image format, also known as the Expert Witness Format or the EnCase
Image Format is perhaps the de facto standard for forensic analysis. Is it a format owned by
Guidance Software containing a bitstream of an acquired disk, case information, checksums
for every block of 64 sectors, and a footer with an MD5 hash for the entire bitstream. The
E01 format allows for compression which lessens the number of image files generated during
the acquisition process and saves space.
If the E01 format is your preferred format for acquiring media, then you have noticed
that mounting the volumes contained in an E01 image always requires that one extra
conversion step. In Linux, the program Xmount is the solution. Xmount allows you to convert
on-the-fly between multiple input and output hard disk image types. In other words, Xmount
can take an E01 and magically make it appear as a DD on the other end, all while maintaining
the integrity of the data.
Xmount can also turn an E01 into a VDI (Virtual Box Disk), and redirect writes to a
cache file. This makes it for example, possible to use Virtual Box to boot an Operating
System contained in a read-only E01 image. Converting an E01 into a Virtual Machine is
beyond the scope of this article.
Today we will discuss the steps required to convert an E01 into a DD, on-the-fly, and
then mounting the volume inside of the DD. For the purposes of this article I used an
examination computer with Ubuntu 12.04 installed on it.
The Goal:
The ultimate purpose of mounting the volume inside of the image is to make the
volume accessible to software. While forensic software can read an E01 directly, other
software might need access to the volume’s directory structure or files. For example, a virus
scanner will need access to the entire directory structure, while a registry viewer will need
direct access to the registry hives themselves.
Installing the tools:
All of the tools that we will use are either included in Ubuntu by default, or can be
downloaded from the Ubuntu Software Center. The tools that we will need to accomplish this
task are Mount, Md5sum, and Xmount. Mount and Md5sum come pre-installed in Ubuntu, so
let’s head over to the Ubuntu Software Center for Xmount.
Click on the Dash Home circle, located on the top left of your screen, type in “software”
and click on the Ubuntu Software Center icon that will appear.
After the Ubuntu Software Center opens, you will see a search box on the top-right
corner of your screen. Type “xmount” and click on the install button. You will be prompted for
your root password. Enter your root password and wait for the program to install.
Now that we have the program that we need, close the Ubuntu Software Center. The
next step is to prepare a working folder for our image. Go to your desktop, right click on your
desktop and select “create new folder”, name it “Test”.
Now find an E01 that we can mount. Find an image of an operating system, the
smaller the better, and copy it to your “Test” folder. For the purposes of the article, I used a
previously acquired E01 of a Windows 7 installation that I use for testing.
The details of the image are the following:
Notice that the size of the media was 11,535,384,576 bytes, about 11.5 GB. Also
notice that during the acquisition I used best compression. At the time of acquisition, my test
image compressed down to about 2.7 GB, split into 1.5 GB chunks. Splitting the image into
chunks resulted in the image being spanned into two segments. The md5 of the image is
f4c1d94908b15203b9cee0d8f189cf12. This MD5 should not change at any point.
Ok, here we go! Open a Terminal Window. In Ubuntu you can accomplish this by
pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal”.
Once the terminal window is open, we need to navigate to the previously created Test
folder on the desktop. We will use the CD command to change directory into the desktop.
Type the following into the terminal.
cd /home/carlos/Desktop/Test/
Replace “carlos” with the name of the user account you are currently logged on as.
After doing so, press enter.
The dollar sign after Test indicates that “Test” is your current directory, exactly what we
wanted. Let’s see if we have the image in our current directory. For that we will use the LS
command, which stands for list (files). Type “ls” and press enter.
Notice that we are in the test directory and yes, we do have the image in our directory.
We are almost ready to mount the image with Xmount. But before we do that, we need to
designate a location where we can temporarily mount the image. To do that we need to
create a mount directory. To keep things simple, let’s create a directory called “xmount” in the
root of the mnt folder. We will accomplish this with the following command.
sudo mkdir /mnt/xmount
Mkdir is the command that makes directories. The mnt folder is a good place to create
temporary mount points. Sudo gives fdisk superuser privileges for the operations. Press
enter and type your root password (if needed). If everything worked and you get your cursor
back without errors, then you can assume that the command that you entered was carried out
as ordered.
Now we can use Xmount to mount the E01 into the /mnt/xmount directory. We will
accomplish it with the following command
sudo xmount --in ewf Windows7NTFS.E?? /mnt/xmount/
Explanation: You have to specify all image segments. In this example we have more
than one segment so we must use “E??” as the file extension, to specify the segment files.
Also, replace “Windows7NTFS” with the name of your image. Press enter and type your root
password (if needed).
If everything worked and you get your cursor back we can move on. Change directory
into the /mnt/xmount directory with the below command, followed by enter.
cd /mnt/xmount/
I got these results.
Type “ls -l” and press enter. LS is the list files command. The flag -l uses a long listing
format
Notice that our E01 has been “magically” converted to a DD, on-the-fly. Before we
move any further, let’s verify the integrity of the data. Converting the E01 to a DD should not
have changed any of the data in our image. The best way to confirm this, is by conducting an
md5sum of the data. Type the below command into the terminal (with the name of your DD),
press enter. The larger your image, the longer you will have to wait.
md5sum Windows7NTFS.dd
Mine took about five minutes to verify.
Notice that the md5 matches. Now we can move on to the final step of mounting the
volume(s) inside of the image. Even if your image has multiple volumes inside of it, you will
be able to mount any of them, one at a time. To mount the volume of your choice from within
the image you will need to specify an offset to the volume into the image file. You can get this
offset by running fdisk against the image to obtain the starting sectors for each volume. Type
the below command into the terminal and press enter, type your root password (if needed).
sudo fdisk -l Windows7NTFS.dd
Fdisk is a partition table manipulator for Linux. The flag -l lists the partition tables for
the specified devices. These are my results.
Notice that the NTFS volume inside of my DD starts at sector 2048. The offset must
be specified in bytes, so now you must take the starting sector offset, in this instance 2048,
and multiply it by 512 bytes. From this we obtain 1048576. We now have the information that
we need to mount the volume inside on the image. But before we do that, we need to
designate a location where we can temporarily mount the volume. To do that, we need to
create another mount directory. To keep things simple, let’s create a directory called DD in
the root of the mnt folder. Type the below command into the terminal and press enter, type
your root password (if needed).
sudo mkdir /mnt/dd/
Again, if you got your cursor back then everything went well. The DD directory was
created at /mnt/dd and your current directory is still /mnt/xmount.
We finally get to mount the mount the volume inside of the DD. Mount the volume with
the below command.
sudo mount -t ntfs -o ro,offset=1048576 Windows7NTFS.dd /mnt/dd/
Mount is the command to mount a filesystem. The flag -t tells mount which filesystem
you are mounting, which in this case in an NTFS filesystem. The -o flag specifies the options
for mounting. In this instance we opted to mount it as a “ro” read-only file system and we also
told mount to look at byte offset 1048576, which is the beginning of the volume. The options
following the -o flag must be separated only by a comma. Press enter, type your root
password (if needed).
Now navigate to the DD directory. We will again use the CD command to change
directory into the DD directory. Type the following into the terminal and press enter.
cd /mnt/dd/
I got these results.
Type “ls -l” and press enter. The flag -l uses a long listing format.
carlos@XPS-M1330:/mnt/dd$ ls –l
There you have it. Now your volume is mounted in a read-only mode available for any
action that you deem necessary. You can continue in the terminal or navigate the directory
structure through Nautilus. You can copy out files, conduct virus scans, browse registry files,
or anything else that your investigation calls for.
Finishing touches... To unmount the volume, cd into your home folder with the command cd and enter, followed by the below command. Note: The unmount command in terminal is actually spelled umount (without the n).
sudo umount /mnt/dd/
Now that the volume is unmounted, let’s conduct one last test. Cd back into you
xmount directory and conduct another md5sum to confirm that your DD did not change
The md5 still matches.
If this procedure worked for your case, and you are able to use it in the course of your
investigation, we would like to hear from you. Please post your comments or email the author
of this article at [email protected]