Wednesday, April 23, 2014

Need to see the Pictures, hear the Music, and watch the Videos?

The other posts have mostly discussed metadata (data, about the data).  Yeah, you could use icat to output the text of a text file or something similar but how do you see the files how we are used to seeing them?  There are a few ways to do this but for this post I am going to talk about mounting a volume and browsing the files.

Before we start throwing out commands lets talk about how this is going to work.  First, you will need to have root access on the machine you are using (the sudo command is commonly used to gain temporary superuser status).  This is going to necessary when we begin using the mount command.  Next lets make a few directories.  I am going to make these directories in the ROOT ("/") director of the volume.  To do this we will use the Linux mkdir command like this:

$ cd /
$ sudo mkdir E01Mnt
$ ls
bin    dev     home            lib    lost+found  opt   run   sys  var
boot   E01Mnt  initrd.img      lib32  media       proc  sbin  tmp  vmlinuz

cdrom  etc     initrd.img.old  lib64  mnt         root  srv   usr  vmlinuz.old

You can see we used the cd command to change to the ROOT directory.  Then created our directory with the mkdir command and listed our files in our ROOT directory with the ls command (that's an LS not a 1S).

Now we need to move create some directories in the /E01Mnt directory like this:

$ cd E01Mnt/
$ sudo mkdir V1 V2 V3 V4 V5
$ sudo mkdir RAW
$ ls
RAW  V1  V2  V3  V4  V5

Finally, we will need to make sure that we have permission to access these files.  For the purposes of this example I am going to be very lenient with the permissions.  If you have multiple people accessing your computer you may want to do some research and see what permission options will be best for your situation:

$ cd /

We changed back to the ROOT directory.

$ sudo chmod -R 777 /E01Mnt/
$ ls -Rl /E01Mnt/
total 24
drwxrwxrwx 2 root root 4096 Apr 23 18:28 RAW
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V1
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V2
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V3
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V4
drwxrwxrwx 2 root root 4096 Apr 23 18:08 V5

total 0

total 0

total 0

total 0

total 0

total 0

Using the chmod command with the -R (for recursive) option we can change the permission of all of the newly created directories at once.  We have changed the permission of each directory allowing all users and groups to have rwx (read, write, and execute) capabilities.  Now that we have the directories with the correct permissions we can proceed.  But first, a little explanation of what we are going to do.

Remember when we talked about creating an Expert Witness Format (E01) disk image?  The E01 file acts as a container for the raw data.  The container stores the raw data along with check-sums and information about when and how the E01 file was created.  So the first thing we will need to do is expose the RAW data that is inside of the container.  To do this we are going to need to have the libewf package installed.  The libewf package can be downloaded here and instructions for the installation can be found here.  Now:

$ ewfmount nps-2008-jean.E01 /E01Mnt/RAW/
ewfmount 20140227

fusermount: failed to open /etc/fuse.conf: Permission denied

The first time you run this you will see this error.  Once again we are having a permission issue.  To fix this we will need to:

$ sudo chmod 755 /etc/fuse.conf
$ sudo gedit /etc/fuse.conf

The gedit command should open the fuse.conf file in a text editor (for those of you are using Ubuntu, if you are using another OS you can use your default text editor to make these changes).  Please change the "#user_allow_other" to "user_allow_other" and save the file.  Now we've adjusted FUSE to our liking.  Next:

$ sudo umount /E01Mnt/RAW
$ ewfmount -X allow_root nps-2008-jean.E01 /E01Mnt/RAW/
ewfmount 20140227

Using the ewfmount command we have just exposed the raw data from the container.  That data has been placed in the /E01Mnt/RAW/ directory.

$ ls -l /E01Mnt/RAW/
total 0

-r--r--r-- 1 root root 10737418240 Apr 23 19:03 ewf1

We can still run our standard Sleuth Kit commands against it like this:

$ mmls -B /E01Mnt/RAW/ewf1
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Size    Description
00:  Meta    0000000000   0000000000   0000000001   0512B   Primary Table (#0)
01:  -----   0000000000   0000000062   0000000063   0031K   Unallocated
02:  00:00   0000000063   0020948759   0020948697   0009G   NTFS (0x07)

03:  -----   0020948760   0020971519   0000022760   0011M   Unallocated
$ img_stat nps-2008-jean.E01
Image Type: ewf

Size of data in bytes: 10737418240
MD5 hash of data: 78a52b5bac78f4e711607707ac0e3f93
$ md5sum /E01Mnt/RAW/ewf1
78a52b5bac78f4e711607707ac0e3f93  /E01Mnt/RAW/ewf1

I also decided to show you that the RAW data at /E01Mnt/RAW/ewf1 matches the data in the E01 file.  So the next step requires mounting the volume and viewing the contents of the volume.  With this file we have only one volume.  That volume starts at sector 63 and is an NTFS volume.  To mount this volume we will use the Linux mount command like this:

$ sudo mount -o ro,loop,offset=$((63*512)) /E01Mnt/RAW/ewf1 /E01Mnt/V1

The option -o ro makes the mount READ ONLY (so you don't corrupt the original data). offset=$((63*512)) indicates that the volume begins at 32256 bytes.  We used the $(( to do the math for us but the command could have looked like this:

$ sudo mount -o ro,loop,offset=32256 /E01Mnt/RAW/ewf1 /E01Mnt/V1

So how do we know we were successful?  We can use the standard Linux ls command to see if the mount was successful.

 $ ls /E01Mnt/V1
AUTOEXEC.BAT            IO.SYS        ntldr          System Volume Information
boot.ini                IPH.PH        pagefile.sys   WINDOWS
CONFIG.SYS              MSDOS.SYS     Program Files
Documents and Settings  NTDETECT.COM  RECYCLER

Success is ours.  If you look at your file manager you should be able to see the volume and files at /E01Mnt/V1

If you like looking at the data that way, well that's just dandy but I would recommend an alternative.  I use XNViewMP.  It looks like this.

With XNView you can view images and access videos more quickly (and on systems with higher performance you can choose to "View All" data from a directory all at once -- Essentially it has recursive capabilities).  It also shows file metadata and EXIF data if applicable.

This post is large so I'm going to stop now but keep in mind this is just one of many ways to access the data.  ewfmount can be replaced with xmount.  With xmount you can also output E01 files as a virtual hard disk (.vhd) file and then the volume can be booted into a virtual machine.  The options here are pretty much limitless so don't get stuck on one thing.  Have fun.

No comments:

Post a Comment