E01’s and SIFT – A forbidden love affair…

31Mar11

(ok not really, but that stuck with me for a title)

So I’ve finally gotten around to starting up a blog again.  I decided (with some pushing from my friend Dave Kovar – who makes a very nice python script called analyzeMFT, you should check it out) to do my first post on using E01 images in the SANS SIFT Workstation VM.

This came about primarily because most of the documentation for SIFT talks about using DD images.   Which is fine, I don’t mind DD images at all, however my current “place of employment” requires that I use E01 images in my casework.  So I had to do some digging in order to create timelines using SIFT.  I prefer creating timelines using the SuperTimeline method because it’s what I’m used to, and for me it’s easier to read.

I’d like to start off by thanking Stephen Venter for writing a blog post on mount_ewf.py which helped get me started.

So here’s my setup, I have all my evidence for my case on a TrueCrypt’d eSATA Desktop Drive, attached to my forensic workstation with an eSATA dock.  All the Evidence images are in a folder called Evidence, and any data I’m going to export out of SIFT I’ll put in my Export folder.

So I start up VMware Workstation and fire up SIFT.  Once I log in and get to the desktop the first thing I’m going to do is go to VM->Settings (Ctrl-D)->Options and then Shared Folders.  I always set this to “Enabled until next power off or Suspend” just so I force myself to “enable” the connection to my eSATA disk.  And if I move on to another case/project I can start fresh again.  Next I’ll add my Evidence and Export directories as separate folders.  The Evidence folder I’ll check the read-only attribute, because there’s really no reason for me to write to that folder.

Once that’s done I can confirm the folders are there by clicking on the VMware-Shared-Drive icon.  One note is that the VMware-Shared-Drive shortcut is a soft link to the /mnt/hgfs directory.

For the purposes of this post, we’ll call my image that I’m mounting “foobar_image.E01”….

Ok, first we’re going to start off with the mount_ewf.py script to mount the image on the system.  We’re dealing with an image that is split, so the command we’ll use is:

mount_ewf.py /mnt/hgfs/evidence/foobar_image.E* /mnt/ewf

Now there’s already some mount points set up in SIFT, and since we’re only working with one image there’s no need to create additional subdirectories in the /mnt directory.

Next we need to look at the image partition layout to determine where the volume on the disk starts.

fdisk –lu /mnt/ewf/foobar_image

and you’ll get an output that looks something like:

                      Device Boot   Start    End         Blocks   Id  System
/mnt/ewf/foobar_imagep1  *          63       68281919    34140928+   7  HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 239, 63) logical=(4515, 239, 63)
/mnt/ewf/foobar_imagep2         68281920    78140159     4929120   12  Compaq diagnostics
Partition 2 has different physical/logical beginnings (non-Linux?):
phys=(1023, 0, 1) logical=(4516, 0, 1)
Partition 2 has different physical/logical endings:
phys=(1023, 239, 63) logical=(5167, 239, 63)

Ok, so based on this output we have two partitions in this image.  One is a diagnostic partition the other is a HPFS/NTFS file system.  So foobar_imagep1 is the one we are interested in.  What we now need to calculate is the offset in bytes to where that partition starts.  To find that we take the “Start” value of foobar_imagep1 and multiply it by 512 (for 512 bytes per sector).  Keep in mind that newer drives are starting to use a larger bytes per sector value (3TB and some 2TB drives that I’ve seen).

Ok, so next is to mount the image to a loopback device so we can then mount the partition and work with it:

losetup –o32256 –r /dev/loop0 /mnt/ewf/foobar_image

The –o switch is for the byte offset, and the –r switch is to mount it read only.

Once this part is done, we can go ahead and mount the partition.  Keep in mind that we want to mount it so we can see the “hidden” system files associated with the file system ($MFT, etc).

mount /dev/loop0 /mnt/windows_mount –o loop,ro,show_sys_files

Now do an “ls –l” on /mnt/windows_mount and you should see the volume file system (and the hidden system files as well).

At this point, I would start creating my timeline.  I use the steps Rob Lee outlined in his SUPER Timeline Analysis and Creation post.

Finally, once we’re done using this image, what is the proper way to unmount it all?  Well, it’s actually a three step process.

First we unmount the volume from the /mnt/windows_mount point.

umount /mnt/windows_mount

Next, we remove the link between the loopback device and the image.

losetup –d /dev/loop0

Finally we unmount the E01 image.

umount /mnt/ewf

And we’re done.

Please note you may have to do some tweaking with some of these steps.   Most of the time the steps have worked for me, but there will be instances where the offset for the volume is different (for example).  Remember that the “man” pages are available for most of the commands used here if you need to fine tune any parts of this process.  You can also mount multiple images all at the same time, you just need to change/increment the /dev/loop values (/dev/loop1, /dev/loop2, etc) and add additional directories to mount the images to.

If any of you have suggestions on how to improve this process I’d love to hear about it.

Again I’d like to thank the following for making this blog post possible:

Stephen Venter

Rob Lee

Advertisements


10 Responses to “E01’s and SIFT – A forbidden love affair…”

  1. Thanks for writing this… You can also use the single mount command with the additional option -o offset=byte-num. The byte-num is calculated by using mmls or fdisk and getting the sector location * sector size.

    Great article! Thanks! -Rob

  2. Rob,
    I think the first time I ever did this I ran into an issue with the mount command, which is why I probably had the losetup in there (and used it ever since). But that is correct you can remove the losetup line and just add the offset option to the mount command.

    Thanks for the comment and feedback!

  3. 3 Patrick Olsen

    I noticed you used fdisk, but I have seen you talk about TSK, where it has mmls. I was reading Digital Forensics with Open Source Tools, and noticed it mentioned that mmls will show nonallocated spaces before, after or between volumes. Also, the offsets to individual volumes are presented as counts of 512-byte sectors. The offsets can then be passed directly to higher level TSK tools to specify a volume to analyze. Just curious maybe as to why you used fdisk vs. mmls, or maybe it’s just a preference. The books also talks about mount_ewf.py and losetup. I think you would enjoy it.

    • Patrick,
      Thanks for the info. I use fdisk basically because that’s what was outlined in Rob’s original steps. So I haven’t really “switched” over to mmls for that step. So I guess it’s just more familiarity than anything else.

      As for the book, yep already had it preordered when it was announced and I got my kindle version of it the other day. Now I just need to find time to read it! 🙂

      Thanks again for the comment!

  4. 5 Little Mac

    Cool stuff, Tom! Saw your LinkedIn update but didn’t really realize you’d started a blog until I saw it in the Digital Forensics blog today. I have some timeline posting (focused on log2timeline, which is *awesome*) I could hope you might enjoy. http://forensicaliente.blogspot.com/

  5. 6 BRIAN

    Hi there. I am trying to follow along with the above tutorial and have run into an issue. I am attempting to mount the image offsett 32256 with the below command and I am receiving an ACCESS DENIED message. I am using the SIFT 2.12 VM appliance against one of my EWF files. I am using ROOT to perform this command.

    mount -o offset=32256 /mnt/ewf/2nd-Infection /mnt/windows_mount loop,ro,show_sys_files

    Any insight as to why I could be getting this issue will be greatky appreciated. Regards, Brian.

    • Brian,
      Can you type out for me the steps you did leading up to this point? Also, were they all done as the root user? Do you get an access denied message when you run mmls on /mnt/ewf/2nd-Infection ?

      Finally, your mount command is a bit out of order, from what you posted it should be:

      mount -o loop,ro,show_sys_files,offset=32256 /mnt/ewf/2nd-Infection /mnt/windows_mount

      Thanks….

  6. Nice write up! Just did some testing (E01 split) on sift 3.0 and this worked great.

  7. great post!

    I have a question on mounting and dismounting.

    Below is the sequence of steps:

    root@siftworkstation:/mnt/hgfs# mount_ewf.py evidence.E01 /mnt/ewf
    root@siftworkstation:/mnt/hgfs# cd /mnt/ewf

    root@siftworkstation:/mnt/ewf#ls
    root@siftworkstation:/mnt/ewf#ewf1

    Now running log2timeline on ewf1

    root@siftworkstation:/mnt/ewf#log2timeline.py -o 63 /home/sansforensics/outfile.dump ewf1

    Once this is done. What’s the recommended way to unmount the evidence?

    Thanks so much!

    • You would unmount it the same way you unmount any device on a *nix system:

      (if you are NOT the root user)
      sudo umount /mnt/ewf

      (and if you ARE the root user)
      umount /mnt/ewf


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: