This is a series of blog articles that utilize the SIFT Workstation. The free SIFT workstation, can match any modern forensic tool suite, is also directly featured and taught in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). SIFT demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examination in a variety of settings. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.
In the following example, I will be using the case images from the M57 Case that is downloadable online.
- Scenario and Case Goals-> http://digitalcorpora.org/corp/images/nps/nps-2008-jean/M57-Jean.pdf
- Image 1 ->http://digitalcorpora.org/corp/images/nps/nps-2008-jean/nps-2008-jean.E01
- Image 2 -> http://digitalcorpora.org/corp/images/nps/nps-2008-jean/nps-2008-jean.E02
Introduction to Mounting EWF/E01 Images in the SIFT Workstation
Over the past few years, many investigators have realized that having to convert an image from one format to another is sometimes painful and extremely time consuming. But based on new releases of some handy utilities it is fairly unnecessary for the modern forensicator. Using a tool such as FTK Imager (seen below) is an example of converting an image from E01 to RAW format that could take hours and take up more storage than is necessary. There are many reasons that an investigator would like to examine the raw image. For me, I usually like to have access to the raw system for file carving, direct examination of the files, and utilization of free/open source tools such as log2timeline.
Since the EWF/E01 format is always changing we need to examine more than one way to mount a set of EWF files (E01, E02, ?) inside the SIFT workstation. The commands we will cover today is mount_ewf.py and ewfmount.
Overview:
1. Mounting E01 images requires two stage mount using mount_ewf.py and ewfmount
/mnt/ewf/ Directory will now contain a raw (dd) image
2. Mount raw image using mount command
mount —o ro,loop,show_sys_files,streams_interace=windows Regular mount command against physical or volume image
mount_ewf.py command
mount_ewf.py is by far the most utilized tool for mounting an E01 file inside the SIFT Workstation. It is quite easy to use. Anytime you perform any mount operations, things simply work more reasonably when you elevate your privileges to root by using "sudo su" and then performing the mount_ewf.py command. mount_ewf.py will accept either a singular E01 file or a split EWF format (E01, E02, E03?)
$ sudo su # mount_ewf.py image.E01 directory
Notice that the md5 hash of the raw image file is: 78a52b5bac78f4e711607707ac0e3f93. The hash will be compared against the output from other tools such as ewfmount and FTK Imager to verify that their mount procedures result in an identical raw file image that results from the virtual EWF mount. It will verify the procedure as well. Notice that in our comparison of the FTK Imager output when we converted the E01 file to a raw file the hash is identical as well in the separate raw image file.
Regular mount command
Mount is the command that will take the raw logical image and mount it onto a specified directory of choice to be able to examine the contents of that image. The image has to include be a recognizable file system as a partition. This makes invocation of the command interesting as the raw image is a physical disk image and not a specific partition of a file system. When I first started out in digital forensics, it was a fairly complex but not impossible process to mount a partition inside a raw image using losetup.
Today, it is much easier. You can use a new option recent added to the mount command options called offset=NUM. The number is the total number of bytes to skip inside the image file. The option will allow the investigator to point specifically at the filesystem partition inside the raw disk image.
You can easily calculate the byte offset by running the sleuthkit mmls command against the raw disk image to find the sector starting location and multiplying by 512 bytes (or the sector size listed in the mmls output).
Alternative commands to mount E01 images using ewfmount
In many cases, one tool might fail and there are many possible reasons for the failure. The EWF format is routinely changing versions. As a result, EWF projects might not be able to keep up with every variation. If that occurs, it is recommended that you try anther utility called ewfmount. (Note: xmount is also another very good backup) Every investigator should have a handy backup for any command and in the SIFT Workstation for E01 files it is ewfmount. ewfmount is handled the exact same way mount_ewf.py is handled. See example below.
# ewfmount image.E01 directory
Conclusion
Mounting an EWF/E01 evidence file is a key task to performing a variety of analysis techniques we will be covering in this blog. Getting access to a raw disk without having to convert it via FTK Imager or another utility is quite a time saver and a unique way of using the SIFT workstation to provide a simple capability that you can use in your examinations today.
The commands in this example:
# cd YYYYMMDD-####/
# mount_ewf.py nps-2008-jean.E01 /mnt/ewf/
# cd /mnt/ewf/
# ls
# file nps-2008-jean
# mmls nps-2008-jean
# cat nps-2008-jean.txt
# md5sum nps-2008-jean
# mount -o ro,loop,show_sys_files,streams_interface=windows,offset=32256 nps-2008-jean /mnt/windows_mount/
# cd /mnt/windows_mount/
For more information, consider attending (FOR508) Advanced Computer Forensic Analysis and Incident Response
