One of the basic techniques we teach in SANS Forensic classes is "carving" out partition images from complete raw disk images. All it takes is a little facility with mmls and dd. Here's a quick example of carving an NTFS partition out of a disk image to show you what I mean:
$ mmls -t dos drive-image.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000001 0000000062 0000000062 Unallocated
02: 00:00 0000000063 0000064259 0000064197 DOS FAT12 (0x01)
03: 00:01 0000064260 0000273104 0000208845 DOS Extended (0x05)
04: ----- 0000064260 0000064260 0000000001 Extended Table (#1)
05: ----- 0000064261 0000064322 0000000062 Unallocated
06: 01:00 0000064323 0000273104 0000208782 DOS FAT16 (0x06)
07: 01:01 0000273105 0000433754 0000160650 DOS Extended (0x05)
08: ----- 0000273105 0000273105 0000000001 Extended Table (#2)
09: ----- 0000273106 0000273167 0000000062 Unallocated
10: 02:00 0000273168 0000433754 0000160587 NTFS (0x07)
11: 02:01 0000433755 0000481949 0000048195 DOS Extended (0x05)
12: ----- 0000433755 0000433755 0000000001 Extended Table (#3)
13: ----- 0000433756 0000433817 0000000062 Unallocated
14: 03:00 0000433818 0000481949 0000048132 Linux (0x83)
15: 03:01 0000481950 0000626534 0000144585 DOS Extended (0x05)
16: ----- 0000481950 0000481950 0000000001 Extended Table (#4)
17: ----- 0000481951 0000482012 0000000062 Unallocated
18: 04:00 0000482013 0000626534 0000144522 Linux Swap / Solaris x86 (0x82)
19: ----- 0000626535 0000629143 0000002609 Unallocated
$ dd if=drive-image.dd of=ntfs.img bs=512 skip=273168 count=160587
160587+0 records in
160587+0 records out
82220544 bytes (82 MB) copied, 2.28871 s, 35.9 MB/s
The "bs=", "skip=", and count= values are taken directly from the mmls output. The "skip=" value corresponds to the "Start" of the partition and "count=" should be the "Length". And near the top of the mmls output you see "Units are in 512-byte sectors", so that's our "bs=" value.
Mostly we teach partition carving to get students up to speed with reading partition tables and manipulating various options of the dd command. The only real-world problem is that as disk drives get larger, the time it takes to simply image the drive is really slowing down forensic investigations. If you then have to go back and carve out each individual partition- effectively re-reading the nearly the entire drive- you're doubling the time it takes you just to get started with your forensicating, as well as burning all that additional disk space for the partition images. Fortunately there's a better approach.
Most common forensic tools have some sort of option for specifying a byte or sector offset in a disk image so that you don't actually have to carve out each individual partition. The trick is usually just having to remember which tools want byte offsets and which want sector offsets, but that's what help texts and manual pages are for. There are some tools that don't have an offset option, but there are work-arounds here as well. Let me give you a few practical examples.
The Sleuthkit Tools
All of the core Sleuthkit tools have a "-o" option for specifying a sector offset in a disk image file. Since the offsets are specified in sectors, you can just use the "Start" values from the mmls output. For example, let's use fsstat to get some basic information about the Linux partition in our disk image:
$ fsstat -o 433818 drive-image.dd FILE SYSTEM INFORMATION -------------------------------------------- File System Type: Ext2 Volume Name: Volume ID: 8c05a8859c81c2978427d205e60531e Last Written at: Sat Sep 23 14:09:29 2006 Last Checked at: Sat Sep 23 14:09:28 2006 [...]
Or perhaps you'd like to use foremost to carve files out of the free blocks in the NTFS partition. Like fsstat, blkls has a "-o" option, and foremost accepts image data on the standard input, so you can easily set up a command like:
$ blkls -o 273168 | foremost -o ntfs-carved-files -q -v
I'm sure you get the idea at this point, so I won't waste time going through the other Sleuthkit tools individually. Let's move on to some more interesting examples.
Mounting File Systems
As somebody who primarily works in the Linux environment, mounting read-only copies of partition images to loopback devices is one of my most heavily used forensic tools. It turns out that the mount command also has an "offset" option so that you can operate on partitions within a full disk image. The trick is that mount wants you to specify the offset in terms of bytes rather than sectors. But this is no big deal, it just means we need to do a little math first.
Let me show you how I'd go about mounting the NTFS partition from our disk image:
$ expr 273168 \* 512 139862016 $ sudo mount -t ntfs-3g -o ro,loop,show_sys_files,offset=139862016 drive-image.dd /mnt/ntfs
First I'm multiplying the "Start" value from our mmls output by the sector size to get the byte offset of the start of the partition. Then all I have to do is use the resulting value after "offset=" in the mount options and I'm golden. All of the other options and mount arguments are exactly the same as if you were mounting a partition image that you'd carved out manually. You have to be root to use the mount command, so here I'm using sudo to get temporary root privileges for myself.
Other Tools
Some other common forensic tools you might want to use may not support an option to specify a partition at a specific byte offset. For example, you might want to use strings to extract the ASCII string data from the Linux swap partition in our disk image. But strings (or srch_strings if you prefer) have no way of selecting a single partition from our disk image.
However, you can simply use dd to "read" the partition image and then just pipe the output into strings:
$ dd if=drive-image.dd bs=512 skip=482013 count=144522 | strings -a -t d >linux-swap.ascii.str 144522+0 records in 144522+0 records out 73995264 bytes (74 MB) copied, 2.27807 s, 32.5 MB/s
You could say this is "cheating" since I'm really using dd to carve the partition image. But at least I don't need to store the partition image on disk anywhere- just pipe it into the standard input of strings. Since most Unix/Linux commands will happily operate on data coming in via the standard input, this technique is broadly applicable across a wide variety of tools.
Conclusion
Using byte offsets rather than carving file system partitions out of a disk image can save you enormous amounts of time and disk space, leaving you more time for forensicating. I urge you to spend some time practicing the techniques covered in this article. Once you drink the offset Kool Aid, you'll never go back to carving.
Hal Pomeranz is an Independent IT/Security Consultant, a SANS Institute Faculty Fellow, and a GCFA. He is also a hard-core nerd, an ISTJ, and a Taurus. One or more of these facts is probably irrelevant.
