localizing a mounte...
 
Notifications
Clear all

localizing a mounted HD

25 Posts
5 Users
0 Likes
1,780 Views
mrpumba
(@mrpumba)
Posts: 116
Estimable Member
Topic starter
 

Q I am trying to capture data from the Shadow Volume of a suspects device through an imaged file. I mounted the volume and using the CMD prompt (administrator) ran with the vssadmin command. I am receiving an error message due to the mounted volume (suspects) is not a local volume and vssadmin will not read it. Does anyone know how to mount an imaged file to make it local?

 
Posted : 27/08/2012 8:16 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

You can do this quite easily using a tool available for free from MS. I covered this in chapter 3 of "Windows Forensic Analysis Toolkit 3/e", but it's also described here

http//windowsir.blogspot.com/2011/01/accessing-volume-shadow-copies.html

…and here

http//justaskweg.com/?p=710

 
Posted : 27/08/2012 8:36 pm
mrpumba
(@mrpumba)
Posts: 116
Estimable Member
Topic starter
 

Ok, I'll review the information you provided and follow-up.

Thanks
Keydet89

 
Posted : 27/08/2012 8:59 pm
(@joachimm)
Posts: 181
Estimable Member
 

If you feel courageous you can also try (although you'll need linux for this)
http//code.google.com/p/libvshadow/

I recently did a large update and it starts looking promising, but still considered experimental.

 
Posted : 27/08/2012 11:16 pm
(@joachimm)
Posts: 181
Estimable Member
 

BTW additional info
http//www.forensicswiki.org/wiki/Windows_Shadow_Volumes

 
Posted : 27/08/2012 11:24 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Just for the record, you can most probably use Clonedisk (Freeware/GUI) to convert the RAW image to VHD
http//reboot.pro/8480/

or, more simply raw2vhd
http//reboot.pro/9715/
http//reboot.pro/9715/#entry83781

Though from what has been posted here
http//justaskweg.com/?p=710
it seems like the "original" didn't end on a sector boundary, which is "strange".

@keydet89
But what is the actual need to convert it to VHD (or to vmdk)?
I mean, the issue you had with IMDISK is probably connected with the nature of IMDISK, a more "low level" driver such as MS own VSS SDK
http//reboot.pro/index.php?showtopic=6492&hl=
http//www.microsoft.com/en-us/download/details.aspx?id=23490
and possibly
http//msdn.microsoft.com/en-us/library/windows/desktop/bb530728(v=vs.85).aspx
or Total Mounter
http//reboot.pro/15170/
http//www.kernsafe.com/product/totalmounter.aspx
should be able to "mount" directly the RAW image in such a way that is accessible…

jaclaz

 
Posted : 27/08/2012 11:25 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

@keydet89
But what is the actual need to convert it to VHD (or to vmdk)?

In order to mount the image as a volume, in a manner that would allow access to the available VSCs.

 
Posted : 27/08/2012 11:36 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

In order to mount the image as a volume, in a manner that would allow access to the available VSCs.

I know that, the whole point is that there are more suited drivers than IMDISK to mount the RAW image directly without needing to "convert it" to VHD.

If you prefer I understood the procedure as "Since I found no driver capable of properly mounting the image as local disk then I converted it to a VHD so that I have been able to use …."

jaclaz

 
Posted : 28/08/2012 12:16 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

…the whole point is that there are more suited drivers than IMDISK to mount the RAW image directly without needing to "convert it" to VHD.

I'm not sure I follow. As you say, you can install a driver, or you can make a minor modification to the image file and use what's already installed (ie, Disk Management).

Is there a chance that you can share what the "more suited drivers" are?

Thanks.

 
Posted : 28/08/2012 1:55 am
mrpumba
(@mrpumba)
Posts: 116
Estimable Member
Topic starter
 

In Previewing the responses thus far still does not answer my question (at least I don't believe so). Recap I have an eo1 image and using FTK imger mounted the file giving me a listed drive of M I now open a cmd window opening it in admin mode. Cd to M then type "vssadmin list shadows /for=m" I receive an error "cannot list m shadow list because m is not a local drive".
Imaging is not the problem as I know if I can get to the shadow files as stated above I can image it and load into FTK or encase. The issue is getting the system to recognize the FTK mounted e01 file as a local drive????

 
Posted : 28/08/2012 7:54 am
Page 1 / 3
Share: