Article describing the process of converting on the fly an e01 into a dd and then mounting the volumes inside of the dd ...
Mounting E01 images of physical disks in Linux Ubuntu 12.04 Carlos Cajigas MSc, EnCE, CFCE, CDFE, A+
The E01 image format, also known as the Expert Witness Format or the EnCase Image Format is perhaps perhaps the de facto standard standard for forensic analysis. Is it a format format owned by Guidance Software containing a bitstream of an acquired disk, case information, checksums for every block of 64 sectors, and a footer with an MD5 hash for the entire bitstream. bitstream. The E01 format allows for compression which lessens the number of image files generated during the acquisition process and saves space. If the E01 format is your preferred format for acquiring media, then you have noticed that mounting the volumes contained in an E01 image always requires that one extra conversion step. In Linux, the program Xmount is the solution. Xmount allows you to convert convert on-the-fly between multiple input and output hard disk image types. In other words, Xmount Xmount can take an E01 and magically make it appear as a DD on the other end, all while maintaining the integrity of the data. Xmount can also turn an E01 into a VDI (Virtual Box Disk), and redirect writes to a cache file. This makes it for example, possible to use Virtual Box to boot an Operating Operating System contained in a read-only E01 image. Converting an E01 E01 into a Virtual Machine is beyond the scope of this article. Today we will discuss the steps required to convert an E01 into a DD, on-the-fly, and then mounting the volume volume inside of the DD. For the purposes of this this article I used an examination computer with Ubuntu 12.04 installed on it.
The Goal: The ultimate purpose of mounting the volume inside of the image is to make the volume accessible to software. While forensic software can read read an E01 directly, other software might need access to the volume’s volume’s directory structure or files. For example, a virus virus scanner will need access to the entire directory structure, while a registry viewer will need direct access to the registry hives themselves.
Installing the tools: All of the tools that we will use are either included in Ubuntu by default, or can be downloaded from the Ubuntu Software Software Center. The tools that we will need to accomplish this task are Mount, Md5sum, and Xmount. Mount and Md5sum come pre-installed in Ubuntu, so let’s head over to the Ubuntu Software Center for Xmount. Click on the Dash Home circle, located on the top left of your screen, type in “software” and click on the Ubuntu Software Center icon that will appear.
After the Ubuntu Software Center opens, you will see a search box on the top-right corner of your screen. Type “xmount” and click on the install button. You will be prompted for your root password. Enter your root password and wait for the program to install. install.
Now that we have the the program that we we need, close the Ubuntu Software Software Center. The next step is to prepare a working working folder for our image. Go to your desktop, right click click on your desktop and select “create new folder”, name it “Test”.
Now find an E01 that we can mount. Find an image of an operating system, the smaller the better, and copy it to your “Test” folder. For the purposes of the article, article, I used a previously acquired E01 of a Windows 7 installation that I use for testing. The details of the image are the following:
Notice that the size of the the media was 11,535,384,576 bytes, about 11.5 GB. Also notice that during the acquisition I used best compression. At the time of of acquisition, my test image compressed down to about 2.7 GB, GB, split into 1.5 GB chunks. Splitting the image into into chunks resulted in the image being spanned into two segments. The md5 of the image is f4c1d94908b15203b9cee0d8f189cf12. This MD5 should not change at any point.
Ok, here we go! Open a Terminal Window. In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal”.
Once the terminal window is open, we need to navigate to the previously created Test folder on the desktop. We will use the CD command to change directory into the desktop. Type the following into the terminal. cd /home/carlos/Desktop/Test/ Replace “carlos” with the name of the user account you are currently logged on as. After doing so, press enter.
The dollar sign after Test indicates that “Test” is your current directory, exactly what we wanted. Let’s see ifif we have the image image in our current directory. For that we will use the LS command, which stands for list list (files). Type “ls” and press enter.
Notice that we are in the test directory and yes, we do have the image in our directory. We are almost ready to mount the image with Xmount. But before we do that, we need to designate a location where we can temporarily mount the image. To do that we need to create a mount directory. directory. To keep things simple, let’s create a directory called called “xmount” in the root of the mnt folder. We will accomplish this this with the following following command. sudo mkdir /mnt/xmount Mkdir is the command that makes makes directories. The mnt folder is a good place to create temporary mount points. Sudo gives fdisk superuser privileges for the operations. Press enter and type your root root password (if needed). If everything worked and you get your cursor back without errors, then you can assume that the command that you entered was carried out as ordered.
Now we can use Xmount Xmount to mount the E01 into the /mnt/xmount /mnt/xmount directory. We will accomplish it with the following command sudo xmount --in ewf Windows7NTFS.E?? /mnt/xmount/ Explanation: You have to specify all image segments. segments. In this example we we have more than one segment so we must use “E??” as the file extension, to specify the segment files. Also, replace “Windows7NTFS” “Windows7NTFS” with the name of your image. Press enter and type type your root password (if needed).
If everything worked and you get get your cursor back we can move on. Change directory into the /mnt/xmount directory with the below command, followed by enter. cd /mnt/xmount/ I got these results.
Type “ls -l” -l” and press press enter. LS is the the list files command. The flag -l-l uses a long long listing format
Notice that our E01 has been “magically” “magically” converted to a DD, on-the-fly. on-the-fly. Before we move any further, let’s let’s verify the integrity integrity of the data. Converting the E01 to to a DD should not have changed any of the data in our image. The best way to confirm this, is by conducting an md5sum of the data. Type the below command into the terminal (with (with the name of your DD), press enter. The larger your image, image, the longer you will will have to wait. md5sum Windows7NTFS.dd Mine took about five minutes to verify.
Notice that the md5 matches. Now we can move on to the final step of mounting the the volume(s) inside of the the image. Even if your image has multiple volumes inside of it, you will be able to mount any of them, one at a time. time. To mount the volume of your choice from within within the image you will need to specify an offset to the volume into the image file. You can get this offset by running fdisk against the image to obtain the starting sectors sectors for each volume. Type
the below command into the terminal and press enter, type your root password (if needed). sudo fdisk -l Windows7NTFS.dd Fdisk is a partition table manipulator for Linux. The flag -l lists lists the partition tables for the specified devices. These are my results.
Notice that the NTFS volume inside of my DD starts at sector 2048. The offset must be specified in bytes, so now you must take the starting sector offset, in this instance 2048, and multiply it by 512 bytes. bytes. From this we obtain 1048576. We now have the information that we need to mount the volume inside on the image. But before we we do that, we need to designate a location where where we can temporarily mount the volume. To do that, we we need to create another mount directory. directory. To keep things simple, let’s let’s create a directory called DD in the root of the the mnt folder. Type the below command into into the terminal and press enter, type type your root password (if needed). sudo mkdir /mnt/dd/ Again, if you got got your cursor back then everything went well. The DD directory was created at /mnt/dd and your current directory is still /mnt/xmount.
We finally get to mount mount the mount the volume inside of the the DD. Mount the volume with the below command. sudo mount -t ntfs -o ro,offset=1048576 Windows7NTFS.dd /mnt/dd/
Mount is the command to mount mount a filesystem. The flag -t tells mount mount which filesystem you are mounting, which in in this case in an NTFS filesystem. The -o flag specifies the options for mounting. In this instance we opted to mount mount it as a “ro” read-only read-only file system and we also told mount to look at byte offset 1048576, which is the beginning of the volume. The options following the -o flag must be separated separated only by a comma. Press enter, type your root password (if needed).
Now navigate to the DD directory. directory. We will again use the CD command to change directory into the DD directory. Type the following into into the terminal and press press enter. cd /mnt/dd/ I got these results.
Type “ls -l” and press enter. The flag -l uses a long listing format. format. carlos@XPS-M1330:/mnt/dd$ ls –l
There you have it. Now your volume is mounted in a read-only mode available for any action that you deem necessary. You can continue in the terminal or navigate navigate the directory structure through Nautilus. You can copy out files, conduct virus scans, browse registry registry files, or anything else that your investigation calls for.
Finishing touches... To unmount the volume, cd into your home folder with with the command cd and enter, followed by the below command. Note: The unmount unmount command in terminal is actually spelled umount (without the n). sudo umount /mnt/dd/ Now that the volume is unmounted, let’s let’s conduct one last test. Cd back into into you xmount directory and conduct another md5sum to confirm that your DD did not change
The md5 still matches. If this procedure worked for your case, and you are able to use it in the course of your investigation, we would like to hear from you. you. Please post your comments or email the author of this article at
[email protected]