The other posts have mostly discussed metadata (data, about the data). Yeah, you could use icat to output the text of a text file or something similar but how do you see the files how we are used to seeing them? There are a few ways to do this but for this post I am going to talk about mounting a volume and browsing the files.
Before we start throwing out commands lets talk about how this is going to work. First, you will need to have root access on the machine you are using (the sudo command is commonly used to gain temporary superuser status). This is going to necessary when we begin using the mount command. Next lets make a few directories. I am going to make these directories in the ROOT ("/") director of the volume. To do this we will use the Linux mkdir command like this:
$ cd /
$ sudo mkdir E01Mnt
$ ls
bin dev home lib lost+found opt run sys var
boot E01Mnt initrd.img lib32 media proc sbin tmp vmlinuz
cdrom etc initrd.img.old lib64 mnt root srv usr vmlinuz.old
You can see we used the cd command to change to the ROOT directory. Then created our directory with the mkdir command and listed our files in our ROOT directory with the ls command (that's an LS not a 1S).
Now we need to move create some directories in the /E01Mnt directory like this:
$ cd E01Mnt/
$ sudo mkdir V1 V2 V3 V4 V5
$ sudo mkdir RAW
$ ls
RAW V1 V2 V3 V4 V5
Finally, we will need to make sure that we have permission to access these files. For the purposes of this example I am going to be very lenient with the permissions. If you have multiple people accessing your computer you may want to do some research and see what permission options will be best for your situation:
$ cd /
We changed back to the ROOT directory.
$ sudo chmod -R 777 /E01Mnt/
$ ls -Rl /E01Mnt/
/E01Mnt/:
total 24
drwxrwxrwx 2 root root 4096 Apr 23 18:28 RAW
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V1
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V2
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V3
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V4
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V5
/E01Mnt/RAW:
total 0
/E01Mnt/V1:
total 0
/E01Mnt/V2:
total 0
/E01Mnt/V3:
total 0
/E01Mnt/V4:
total 0
/E01Mnt/V5:
total 0
Using the chmod command with the -R (for recursive) option we can change the permission of all of the newly created directories at once. We have changed the permission of each directory allowing all users and groups to have rwx (read, write, and execute) capabilities. Now that we have the directories with the correct permissions we can proceed. But first, a little explanation of what we are going to do.
Remember when we talked about creating an Expert Witness Format (E01) disk image? The E01 file acts as a container for the raw data. The container stores the raw data along with check-sums and information about when and how the E01 file was created. So the first thing we will need to do is expose the RAW data that is inside of the container. To do this we are going to need to have the libewf package installed. The libewf package can be downloaded here and instructions for the installation can be found here. Now:
$ ewfmount nps-2008-jean.E01 /E01Mnt/RAW/
ewfmount 20140227
fusermount: failed to open /etc/fuse.conf: Permission denied
The first time you run this you will see this error. Once again we are having a permission issue. To fix this we will need to:
$ sudo chmod 755 /etc/fuse.conf
$ sudo gedit /etc/fuse.conf
The gedit command should open the fuse.conf file in a text editor (for those of you are using Ubuntu, if you are using another OS you can use your default text editor to make these changes). Please change the "#user_allow_other" to "user_allow_other" and save the file. Now we've adjusted FUSE to our liking. Next:
$ sudo umount /E01Mnt/RAW
$ ewfmount -X allow_root nps-2008-jean.E01 /E01Mnt/RAW/
ewfmount 20140227
Using the ewfmount command we have just exposed the raw data from the container. That data has been placed in the /E01Mnt/RAW/ directory.
$ ls -l /E01Mnt/RAW/
total 0
-r--r--r-- 1 root root 10737418240 Apr 23 19:03 ewf1
We can still run our standard Sleuth Kit commands against it like this:
$ mmls -B /E01Mnt/RAW/ewf1
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Size Description
00: Meta 0000000000 0000000000 0000000001 0512B Primary Table (#0)
01: ----- 0000000000 0000000062 0000000063 0031K Unallocated
02: 00:00 0000000063 0020948759 0020948697 0009G NTFS (0x07)
03: ----- 0020948760 0020971519 0000022760 0011M Unallocated
$ img_stat nps-2008-jean.E01
IMAGE FILE INFORMATION
--------------------------------------------
Image Type: ewf
Size of data in bytes: 10737418240
MD5 hash of data: 78a52b5bac78f4e711607707ac0e3f93
$ md5sum /E01Mnt/RAW/ewf1
78a52b5bac78f4e711607707ac0e3f93 /E01Mnt/RAW/ewf1
I also decided to show you that the RAW data at /E01Mnt/RAW/ewf1 matches the data in the E01 file. So the next step requires mounting the volume and viewing the contents of the volume. With this file we have only one volume. That volume starts at sector 63 and is an NTFS volume. To mount this volume we will use the Linux mount command like this:
$ sudo mount -o ro,loop,offset=$((63*512)) /E01Mnt/RAW/ewf1 /E01Mnt/V1
The option -o ro makes the mount READ ONLY (so you don't corrupt the original data). offset=$((63*512)) indicates that the volume begins at 32256 bytes. We used the $(( to do the math for us but the command could have looked like this:
$ sudo mount -o ro,loop,offset=32256 /E01Mnt/RAW/ewf1 /E01Mnt/V1
So how do we know we were successful? We can use the standard Linux ls command to see if the mount was successful.
$ ls /E01Mnt/V1
AUTOEXEC.BAT IO.SYS ntldr System Volume Information
boot.ini IPH.PH pagefile.sys WINDOWS
CONFIG.SYS MSDOS.SYS Program Files
Documents and Settings NTDETECT.COM RECYCLER
Success is ours. If you look at your file manager you should be able to see the volume and files at /E01Mnt/V1
If you like looking at the data that way, well that's just dandy but I would recommend an alternative. I use XNViewMP. It looks like this.
ewfmount 20140227
Using the ewfmount command we have just exposed the raw data from the container. That data has been placed in the /E01Mnt/RAW/ directory.
$ ls -l /E01Mnt/RAW/
total 0
-r--r--r-- 1 root root 10737418240 Apr 23 19:03 ewf1
We can still run our standard Sleuth Kit commands against it like this:
$ mmls -B /E01Mnt/RAW/ewf1
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Size Description
00: Meta 0000000000 0000000000 0000000001 0512B Primary Table (#0)
01: ----- 0000000000 0000000062 0000000063 0031K Unallocated
02: 00:00 0000000063 0020948759 0020948697 0009G NTFS (0x07)
03: ----- 0020948760 0020971519 0000022760 0011M Unallocated
$ img_stat nps-2008-jean.E01
IMAGE FILE INFORMATION
--------------------------------------------
Image Type: ewf
Size of data in bytes: 10737418240
MD5 hash of data: 78a52b5bac78f4e711607707ac0e3f93
$ md5sum /E01Mnt/RAW/ewf1
78a52b5bac78f4e711607707ac0e3f93 /E01Mnt/RAW/ewf1
I also decided to show you that the RAW data at /E01Mnt/RAW/ewf1 matches the data in the E01 file. So the next step requires mounting the volume and viewing the contents of the volume. With this file we have only one volume. That volume starts at sector 63 and is an NTFS volume. To mount this volume we will use the Linux mount command like this:
$ sudo mount -o ro,loop,offset=$((63*512)) /E01Mnt/RAW/ewf1 /E01Mnt/V1
The option -o ro makes the mount READ ONLY (so you don't corrupt the original data). offset=$((63*512)) indicates that the volume begins at 32256 bytes. We used the $(( to do the math for us but the command could have looked like this:
$ sudo mount -o ro,loop,offset=32256 /E01Mnt/RAW/ewf1 /E01Mnt/V1
So how do we know we were successful? We can use the standard Linux ls command to see if the mount was successful.
$ ls /E01Mnt/V1
AUTOEXEC.BAT IO.SYS ntldr System Volume Information
boot.ini IPH.PH pagefile.sys WINDOWS
CONFIG.SYS MSDOS.SYS Program Files
Documents and Settings NTDETECT.COM RECYCLER
Success is ours. If you look at your file manager you should be able to see the volume and files at /E01Mnt/V1
With XNView you can view images and access videos more quickly (and on systems with higher performance you can choose to "View All" data from a directory all at once -- Essentially it has recursive capabilities). It also shows file metadata and EXIF data if applicable.
This post is large so I'm going to stop now but keep in mind this is just one of many ways to access the data. ewfmount can be replaced with xmount. With xmount you can also output E01 files as a virtual hard disk (.vhd) file and then the volume can be booted into a virtual machine. The options here are pretty much limitless so don't get stuck on one thing. Have fun.
No comments:
Post a Comment