fls, e01, and Timelines…oh my!
Well I’m back once again….
I’m trying to plan out posting entries every month or two (probably closer to every two as some people will tell you :p). But I wanted to at least get an update out from my last/first post.
First off, Rob Lee was kind enough to point out that one of the steps in my process:
losetup –o32256 –r /dev/loop0 /mnt/ewf/foobar_image
isn’t really needed. You can skip this step and just use the mount command with the bytes offset option instead:
mount /mnt/ewf/foobar_image /mnt/windows_mount –o loop,ro,show_sys_files,offset=32256
I’m not sure why I used the losetup the first time I ever did this (aside from reading it originally on Stephen Venter’s Blog post), but I have removed that part from my process since then and it works fine. Thanks for that info Rob!
Now, there was one part of Rob’s SuperTimeline process that I was never able to figure out how to do with an e01 image. Specifically using fls on it. What I would do in the past is takethe e01 image and load it into FTK imager and create a DD image from it. Then I would run fls against the DD image. But that’s a lot more time then I want to spend for only one part of my timeline creation process, AND it means I now have one more copy of my image. So I did a bit more reading on the man page for fls and discovered the -i option:
-i imgtype -> Identify the type of image file, such as raw or split. Use ’-i list’ to list the supported types. If not given, autodetection methods are used.
So of course I did a fls -i list and discovered there is a ewf option you can pass to the -i switch!
Which lead me to this:
fls -r -i ewf -o (offset to start of partition, ex 63) -m c: /path/to/e01/segments.e* >> /export/path/to/bodyfile
and voila! I get fls output against my e01 image. Note that you have to point this command to the e01 segment files, NOT the image that you mounted.
And now, I can do Rob Lee’s SuperTimeline the E01 way! If anyone is interested in a post about all the steps I go through with an E01 image to create my timelines, leave a comment below. I’ll be happy to make a post on that as well (but I’ll warn you it pretty much steps through Rob’s method).
Filed under: Digital Forensics | 4 Comments