Sunday, April 27, 2014

Basic XMount Use

The xmount command is not installed on Ubuntu by default but can be obtained from the repository.

$ xmount
The program 'xmount' is currently not installed. You can install it by typing:
sudo apt-get install xmount
$ sudo apt-get install xmount

There are a couple of commands that will help you when you aren't sure if you have a piece of software installed.  You can just run the command and see what happens like I did above but it may be more helpful to run it with a -V option to show the version (it does not work with xmount but most does with many other Linux commands) or you may want to run the which command and then the package name to determine where the item is installed.

$ which xmount
$ mmls -V
The Sleuth Kit ver 4.1.3

So lets get into xmount.  In this example xmount will take the place of the ewfmount command.

$ xmount --in ewf nps-2008-jean.E?? /E01Mnt/RAW/
$ ls /E01Mnt/RAW/

Lets break this down.  We have to tell xmount which input type we are using (--in ewf).  Xmount can work with ewf, dd (raw), and aff (Advanced Forensic Format) image types.  Also we need to be sure that the tool is including all of the E01 files.  In Linux we can use a ? as a variable, allowing any character option to be placed there allowing both the E01 and E02 files to be loaded together.  Finally we need to provide a mount point for a raw data to be placed.  After mounting the file I used the ls command to show the files in that location.  Unlike the ewfmount command, we have two files.  nps-2008-jean.dd file is the raw data (exactly like the ewf1 file when using ewfmount) and we have a .info file.

$ cat /E01Mnt/RAW/ 
The following values have been extracted from the mounted image file:

Description: Jean's hard drive from the first M57 project
Examiner: Donny
Evidence number: 2008-M57-Jean
Acquiry date: Mon Jan 31 16:38:29 2011
System date: Mon Jan 31 16:38:29 2011
Acquiry os: Darwin
Acquiry sw version: 20101104

MD5 hash: 78a52b5bac78f4e711607707ac0e3f93

The cat command just pushes the data from the .info file to the terminal.  We can see some interesting information about the file like the MD5 hash and acquisition date and time.  We also see some notes made by the examiner that acquired the image.  We can verify the raw data is the same as the original by using the md5sum command like this:

$ md5sum /E01Mnt/RAW/nps-2008-jean.dd

78a52b5bac78f4e711607707ac0e3f93  /E01Mnt/RAW/nps-2008-jean.dd

I know some of this is review so lets move on.  We now know that the actual data is the same data captured during the acquisition and like ewfmount the next step is to mount the volume we wish to review.  Lets take a look at the volumes in the image before we try and mount anything.

$ mmls /E01Mnt/RAW/nps-2008-jean.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000000062   0000000063   Unallocated
02:  00:00   0000000063   0020948759   0020948697   NTFS (0x07)
03:  -----   0020948760   0020971519   0000022760   Unallocated

We can see here that the NTFS volume starts at sector offset 63.  We will mount this exactly as we mounted it before except pointing to the .dd file rather than ewf1.

$ sudo mount -o ro,loop,offset=$((63*512)) /E01Mnt/RAW/nps-2008-jean.dd /E01Mnt/V1

We have successfully mounted the volume as read only int he /E01Mnt/V1 directory.  We can navigate there and see the contents of the volume in any manner that we prefer.

This just provides us an alternative to using the ewfmount command.  Xmount is a very capable tool and can give us some other great features.  Xmount can output the E01 file as vdi (Virtualbox's Disk Image file type) and can then be mounted as a Virtual Machine.  I will be posting blog on how to do this at a later time.

Xmount can also us a cache file.  This allows the image to remain read only but appear to be read-write capable.  John Lehr has written an excellent post using xmount to repair damaged ext4 based file systems on images of evidence.  You can find that post here.

That's all for now.

No comments:

Post a Comment