Having just finished my SANS 508 Course i want to share a quick script to help mount partitions and disk images acquired as part of a forensic analysis.
I Hear You Like Mount Points
The SANS 508 is an Advanced Computer Forensics course and the majority of the course is examining Disk Images. The course uses E01 Images of a single partition, this is done to simplify the classroom activities, copying full disk images is time consuming and detrimental to a learning experience.
How does this scale to real life? In the real world you will have mixes of Full disk images with multiple partitions and in some cases different formats for each partition, think dual Boot Linux and windows with recovery partitions. Needless to say real world examples can get complex quickly.
When it comes to the analysis of these images you have to mount them somewhere your OS and tools can access them. This alone can be a nuisance for those new to the field, and even for those who are experienced but are having to do this time and time again.
The Manual Way
Before i get to the good stuff i want to take the time to run through a manual mount process so you understand what it is i attempted to achieve.
My example is going to be using a Windows 2K8 Domain Controller VMDK acquired from my ESXi Server. This processes is mostly the same for any raw disk image.
The aim is to mount the windows partitions so I can run my forensics toolkit against it.
The first thing we want to do is check and see exactly whats on the disk image. There are many tools that will do this for you, the course taught us to use mmls, me I prefer to use the default fdisk. The main reason for my choice is its native to pretty much every version of Linux and it will still work against raw images, dd images and even works on Virtual Machine Disk Images (vmdk’s).
Running fdisk -l against my image i am presented with the following output.
Im not going to go through it all im just going to highlight the key bits we need
Disk 2K8R2-Domain-Ctlr-flat.vmdk: 42.9 GB, 42949672960 bytes 255 heads, 63 sectors/track, 5221 cylinders, total 83886080 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x5eb8d934 Device Boot Start End Blocks Id System 2K8R2-Domain-Ctlr-flat.vmdk1 * 2048 206847 102400 7 HPFS/NTFS/exFAT 2K8R2-Domain-Ctlr-flat.vmdk2 206848 83884031 41838592 7 HPFS/NTFS/exFAT
We want to mount the partitions, so what we need to do is find out where each of the partions start. This turns out to be a trivial bit of math. Take the sector size and multiply by the start point, we now have a byte offset that Linux can use to read in to the file. with the magic numbers in hand we can move on the next step.
Linux mounts file systems, in order for Linux to mount our filesystem we have to tell it what type it is. in the example above we can see that fdisk identified it as possibly NTFS, thats good it matches what we were expecting, if you get this wrong expect the next section to go a little pear shaped.
Now we have all the required information lets get to the actual mounting. Linux has the capability to mount filesytems included by default, although if your working with weird and wonderful FS Types like old school UFS you may find that its not supported.
our command has to be run as root or sudo and is as follows
mount -t TYPE -o OPTIONS /path/to/image.dd /path/to/mount
a real world example looks like this
mount -t ntfs -o ro,loop,offset=36653,show_sys_files,streams_interface=windows /cases/HardDrive.img /mnt/windows_mount
The options i have given it are to mount it ReadOnly on a loop device starting at our calculated offset the final options tell it to interpret meta data as windows.
With any luck you should now see your image mounted for your viewing pleasure.
If your image was acquired using encase then it is likely in an E01 format, this is a compressed copy of the image with metadata and checksum data. To mount these we need another step. ewfmount is a Linux tool that is designed to extract the raw image from a set of E0* files. ewfmoutn can be found here installing it is outside the scope of this post.
Once installed we simply run ewfmount /path/to/image.e01 /path/to/mount
once mounted we run the steps from above but we point to our newly created raw image.
If all that sounds like a lot of work and complicated, it’s not as complicated once you have run through it a few dozen times.
The Lazy Way
However being the lazy guy I am I decided I would write something to make my life a little easier. Under the premise that a little work now will save me a lot of work in the future I wrote myself about 20 lines of python that would do the job.
It worked and saved me having to calculate offsets and type the same lines over and over again. Unfortunately it wasn’t what you would call user-friendly and if you didn’t know exactly how it worked no one else could really use it. so a few more lines to add some error handling and some information about whats happening and I have something that hopefully others can find as useful as I have.
Here are a few usage examples
Running the script with the ‘-i’ option will display the partition information.
root@siftworkstation:/cases/# imageMount.py -i 2K8R2-Domain-Ctlr-flat.vmdk [+] There are 2 Partitions [+] Partition 0 [-] Bootable: True [-] FileSystem: HPFS/NTFS/exFAT [-] Start: 2048, End: 206847 [-] Calculated Offset: 1048576 [+] Partition 1 [-] Bootable: False [-] FileSystem: HPFS/NTFS/exFAT [-] Start: 206848, End: 83884031 [-] Calculated Offset: 105906176
To mount the partitions all you need to do is run the script point it to an image and tell it where to mount.
root@siftworkstation:/cases/# imageMount.py 2K8R2-Domain-Ctlr-flat.vmdk /mnt/windows_mount [+] Checking Partitions [+] Found 2 partitions [+] Creating Temp Mount Point at /mnt/windows_mount0 [+] Attempting to Mount Partition 2 at /mnt/windows_mount0 [+] Mounted 2K8R2-Domain-Ctlr-flat.vmdk at /mnt/windows_mount0 [-] To unmount run 'sudo umount /mnt/windows_mount0' [+] Creating Temp Mount Point at /mnt/windows_mount01 [+] Attempting to Mount Partition 2 at /mnt/windows_mount01 [+] Mounted 2K8R2-Domain-Ctlr-flat.vmdk at /mnt/windows_mount01 [-] To unmount run 'sudo umount /mnt/windows_mount01'
If your working with E01 Files and you have ewfmount installed on your system you can tell the script to mount any E01 formatted images as well.
root@siftworkstation:/cases/# imageMount.py -e -s xp-c-drive.E01 /mnt/windows_mount3
[+] Mounted E0 Files to /mnt/ewf4_2014_03_11-23_32 /ewf1 [-] To unmount run 'sudo umount /mnt/ewf4_2014_03_11-23_32' [+] Creating Temp Mount Point at /mnt/windows_mount3 [+] Attempting to Mount /mnt/ewf4_2014_03_11-23_32/ewf1 at /mnt/windows_mount3 [+] Mounted /mnt/ewf4_2014_03_11-23_32/ewf1 at /mnt/windows_mount3 [-] To unmount run 'sudo umount /mnt/windows_mount3'
The more technically astute among you will have noticed i provided another option -s this option tells the script this is a copy of a partition so there will be no partition table to read. If you don’t provide this option the script will try to determine if it’s a single partition and tell you to try again with the -s options.
That’s about it for this one hope someone else will find this as useful as i have.
You can find the Script on my GitHub here - https://github.com/kevthehermit/Scripts/blob/master/imageMounter.py
Feel free to stick a fork in it or ping me on here with bugs, features or complaints.
The next revision of the script will include an option to auto mount VSS Partitions, and will have options to clean up after itself.
As usual questions, queries comments below.