Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
Mounting E01 images of Physical Disks in Linux Ubuntu 12.04

Mounting E01 images of Physical Disks in Linux Ubuntu 12.04

Ratings: (0)|Views: 600 |Likes:
Published by Carlos Cajigas
Article describing the process of converting on the fly an e01 into a dd and then mounting the volumes inside of the dd using Linux Ubuntu 12.04
Article describing the process of converting on the fly an e01 into a dd and then mounting the volumes inside of the dd using Linux Ubuntu 12.04

More info:

Published by: Carlos Cajigas on Aug 07, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/06/2012

pdf

text

original

 
Mounting E01 images of physical disks in Linux Ubuntu 12.04
Carlos Cajigas MSc, EnCE, CFCE, CDFE, A+
 
The E01 image format, also known as the Expert Witness Format or the EnCaseImage Format is perhaps the de facto standard for forensic analysis. Is it a format owned byGuidance Software containing a bitstream of an acquired disk, case information, checksumsfor every block of 64 sectors, and a footer with an MD5 hash for the entire bitstream. TheE01 format allows for compression which lessens the number of image files generated duringthe acquisition process and saves space.If the E01 format is your preferred format for acquiring media, then you have noticedthat mounting the volumes contained in an E01 image always requires that one extraconversion step. In Linux, the program Xmount is the solution. Xmount allows you to converton-the-fly between multiple input and output hard disk image types. In other words, Xmountcan take an E01 and magically make it appear as a DD on the other end, all while maintainingthe integrity of the data.Xmount can also turn an E01 into a VDI (Virtual Box Disk), and redirect writes to acache file. This makes it for example, possible to use Virtual Box to boot an OperatingSystem contained in a read-only E01 image. Converting an E01 into a Virtual Machine isbeyond the scope of this article.Today we will discuss the steps required to convert an E01 into a DD, on-the-fly, andthen mounting the volume inside of the DD. For the purposes of this article I used anexamination computer with Ubuntu 12.04 installed on it.
The Goal:
 
The ultimate purpose of mounting the volume inside of the image is to make thevolume accessible to software. While forensic software can read an E01 directly, othersoftware might need access to the volume’s directory structure or files. For example, a virusscanner will need access to the entire directory structure, while a registry viewer will needdirect access to the registry hives themselves.
 
Installing the tools:
 
All of the tools that we will use are either included in Ubuntu by default, or can bedownloaded from the Ubuntu Software Center. The tools that we will need to accomplish thistask are Mount, Md5sum, and Xmount. Mount and Md5sum come pre-installed in Ubuntu, solet’s head over to the Ubuntu Software Center for Xmount.
 
Click on the Dash Home circle, located on the top left of your screen, type in “software”and click on the Ubuntu Software Center icon that will appear.
 
After the Ubuntu Software Center opens, you will see a search box on the top-rightcorner of your screen. Type “xmount” and click on the install button. You will be prompted foryour root password. Enter your root password and wait for the program to install.Now that we have the program that we need, close the Ubuntu Software Center. Thenext step is to prepare a working folder for our image. Go to your desktop, right click on yourdesktop and select “create new folder”, name it “Test”.
 
 
 
Now find an E01 that we can mount. Find an image of an operating system, thesmaller the better, and copy it to your “Test” folder. For the purposes of the article, I used apreviously acquired E01 of a Windows 7 installation that I use for testing.
 
The details of the image are the following:
 

Activity (2)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->