Anda di halaman 1dari 17

Mounting Images for Analysis

Mounting Images for Analysis


SANS,
All Rights Reserved
1
Mounting Images Overview

Mounting a Mounting Physical Mounting Forensic


Partition/Volume Disks Image Formats

Mounting Images for Analysis


SANS,
All Rights Reserved 2
Why Mount a Disk Image?

Image File -> Mounted Filesystem


You can now see allocated files/directories
Easiest way to access allocated files/directories
Scanning and Automated tasks for investigations

Mounting Images for Analysis


SANS,
All Rights Reserved 3
Mount options

mount o[options] device directory


[Useful Options]
-o Use the following options separated by commas --
no spaces
ro, mount as read only
loop, mount on a loop device (used for image files)
noexec, do not execute files from mounted partitions
offset=byte_num, if mounting a physical drive you can use the
offset option to have it mount at X bytes
into the physical disk
show_sys_files, show NTFS volume metafiles
streams_interface=windows use alternate data streams

Mounting Images for Analysis


SANS,
All Rights Reserved 4
Logical Volume mount Example
Elevate your privileges to root

Verify that the image file is a logical disk image using file

Mount logical image using mount command

Mounting Images for Analysis


SANS,
All Rights Reserved 5
Mounting Images for Analysis
SANS,
All Rights Reserved 6
Mounting Images Overview

Mounting a Mounting Physical Mounting Forensic


Partition/Volume Disks Image Formats

Mounting Images for Analysis


SANS,
All Rights Reserved 7
mount Usage for Physical Disks
# mount -t fstype [options] device directory
[Useful Options]
-t fstype file system (ext2, ntfs, msdos)
-o Use the following options (separated by commas, no spaces)
ro, mount as read only
loop, mount on a loop device (used for image files)
noexec, do not execute files from mounted partitions
offset=byte_num, if mounting a physical drive you can use the offset
option to have it mount at X bytes into the
physical disk
show_sys_files, show NTFS volume metafiles
streams_interface=windows use alternate data streams
First partition is found at sector 63
63 sectors * 512 bytes per sector = 32256 bytes
offset=32256
EXAMPLE
$ sudo su
# mount o ro,loop,offset=32256 PHYSICAL_DISK_IMAGE
/mnt/windows_mount

Mounting Images for Analysis


SANS,
All Rights Reserved 8
Mounting Images Overview

Mounting a Mounting Physical Mounting Forensic


Partition/Volume Disks Image Formats

Mounting Images for Analysis


SANS,
All Rights Reserved 9
Mounting .E01 Images (1)

Overview: Mounting E01 or split raw


images requires two stage mount
E01 to Raw # ewfmount image-name.E01 /mnt/ewf/
Mount E01 using /mnt/ewf/ Directory will now contain a raw dd/raw image
ewfmount

Raw to Files # mount o


ro,loop,show_sys_files,streams_interface=wi
Mount raw
image using ndows /mnt/ewf/ewf1 /mnt/windows_mount (all
mount command one command line)

Mounting Images for Analysis


SANS,
All Rights Reserved 10
STEP 1 Example: ewfmount

Mount E01 # ewfmount physical-drive-example.E01


using /mnt/ewf/
ewfmount

Example Only:

Mounting Images for Analysis


SANS,
All Rights Reserved 11
STEP 2: Identifying the Partition
via mmls
# mmls ewf1
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot Start End Length Description


00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000000062 0000000063 Unallocated
02: 00:00 0000000063 0020948759 0020948697 NTFS (0x07)
03: ----- 0020948760 0020971519 0000022760 Unallocated

There is unused space between the table and the start of


the first partition and between two partitions

If partition table is corrupted then you may have to use a


tool called gpart to guess the partition table

Mounting Images for Analysis


SANS,
All Rights Reserved 12
STEP 3 Example: Calculating the
Partition byte Offset
Mount raw image # mount o
using mount ro,loop,offset=BYTES,show_sys_files,streams
command (
Physical or _interace=windows /mnt/ewf/ewf1
Partition) /mnt/windows_mount (all one command line)
How to Calculate mount offset -> (offset=byte_num)
# mmls PHYSICAL_DISK_IMAGE.001
Note -> First partition is found at sector 63
63 sectors * 512 bytes per sector = 32256 bytes
offset=32256

Mounting Images for Analysis


SANS,
All Rights Reserved 13
Mounting Images for Analysis
SANS,
All Rights Reserved 14
imageMounter.py
Python script to MNT Partitions on a Disk Image

Usage: imageMounter.py [options] image_name mnt_point

[USEFULL OPTIONS}
-s Single partition in image
-i Just display the information
-e Use ewfmount to mount E0 Evidence Files
-b Mount Bitlocker Drive with Recovery Key
-k RECOVER_KEY Bitlokcer Recovery Key

Python Auto-mounter Physical Logical


Mounts a variety of partition
types across volume types
(see list on right) MSDOS GPT

Time saver from tricky


partition challenges BITLOCKER E01

Mounting Images for Analysis


SANS,
All Rights Reserved 15
imageMounter.py
Examples

Physical
Image

Logical
Image

Mounting Images for Analysis


SANS,
All Rights Reserved 16
Exercise B
Mounting Image Evidence

Mounting Images for Analysis


SANS,
All Rights Reserved
17