±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36317
New Yesterday: 0 Visitors: 180

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Convert .AD1 image to DD raw image

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

grizzlydigital
Newbie
 

Convert .AD1 image to DD raw image

Post Posted: Nov 15, 19 04:59

Hello,
Looking for an alternative method to convert .ad1 image to DD.

I have heard Mount Image Pro and Forensic Explorer can accomplish this, but I am treating it more like a challenge to learn and MacGyver a solution, if possible.

Here is the context:
Context 1: Recently had a limited amount of time to access a desktop for collection, so used FTK Imager 4.2.1.4 to collect logical C drive, so FTK Imager’s output was automatically AD1.
Context 2: A colleague with same issue (limited amount of time), was instructed to perform live targeted collection; he used FTK Imager to collect a user folder (FTK lists as ‘Contents of a Folder” when you are choosing type of image you want to create i.e. Physical/Logical, etc.).

Back at the lab, EnCase would not ingest the ad1 images.

Here is what I have tried:
Tried using FTK Imager (not the full suite, just imager) to export the image, but that option is greyed out (Selected File, Add Evidence Item, Once added to evidence tree on left, right clicked, but ‘Export Disk Image…’ greyed out/not selectable).

Tried Paladin 7.05 USB, the Paladin Toolbox has an Image Converter option. Read the manual and confirmed it wants the external drive mounted as RW, so mounted drive containing the image. Was unable to use Paladin Image Converter even after following the instructions and mounting RW. I cannot click/select ‘Image List’ - it does not list any images, cannot be selected to make it drop down, and clicking the refresh button on the right hand side does not do anything.

Tried googling, checked youtube, and of course checked these forums before posting. Mostly finding info on E01 to DD, or forums telling me to purchase Forensic Explorer.

Do I need to perform an update? It says Paladin 7.05 on the toolbox. Any guidance is appreciated. Emailed Sumuri, so far haven’t heard back, wondering if its a bug or I need to update my Paladin, as it was strange that Paladin Toolbox’s Image Converter is stuck/unclickable for the tab ‘Image List’ - it does not list any images, cannot be selected to make it drop down, and clicking the refresh button on the right hand side does not do anything.

Back at the lab I just created a small test image of a folder with FTK Imager in ad1, tried the different versions of Paladin including 32-bit Paladin Edge, same issue cannot get the converter to list the ad1 image.

One colleague I shared the above with has recommended I try Autopsy, which is included in the Paladin accessories, as well as in Kali Linux. I have found some content online for creating a DD image with linux, but I want to ensure that I convert the ad1 to DD, not just create a DD image containing the ad1 file!

I will try using Autopsy, but open to any other ideas. Any guidance would be appreciated.

Thank you,

Rory  
 
  

JerryW
Member
 

Re: Convert .AD1 image to DD raw image

Post Posted: Nov 15, 19 09:35

Does it work in FTK Imager if you 'Create Disk Image' and direct it to the AD1 file as the source; rather than 'Add Evidence Item'?  
 
  

AmNe5iA
Senior Member
 

Re: Convert .AD1 image to DD raw image

Post Posted: Nov 15, 19 10:07

Essentially what you are trying to do is create a disk image out of something that isn't a disk image. an AD1 is just a collection of files, similar in concept to files in a zip file. To create a disk image out of that you need to restore the files to an actual disk and then image that. Simplest way would be to create a vhd using Disk management under windows then restore the files to that before taking it offline. Either use the vhd as your disk image or, if you need to, use some tool to "convert" it to a DD.  
 
  

jaclaz
Senior Member
 

Re: Convert .AD1 image to DD raw image

Post Posted: Nov 15, 19 10:49

- AmNe5iA
Essentially what you are trying to do is create a disk image out of something that isn't a disk image. an AD1 is just a collection of files, similar in concept to files in a zip file. To create a disk image out of that you need to restore the files to an actual disk and then image that. Simplest way would be to create a vhd using Disk management under windows then restore the files to that before taking it offline. Either use the vhd as your disk image or, if you need to, use some tool to "convert" it to a DD.


And the result would be not an image (in the "normal" forensic sense), but rather a "container" device where files were written to, so most of the metadata that are available from a "physical" image will be "wrong".

Only for the record a .vhd (static) is ALREADY a dd (RAW) image with one single sector (the so-called CONECTIX sector) appended.

The conversion amounts to either:
1) ignore that sector
2) resize the file removing that sector

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

sovietpecker
Member
 

Re: Convert .AD1 image to DD raw image

Post Posted: Nov 15, 19 11:58

I am trying to understand why you are trying to create raw image from the AD1 file. If you can see the files in the AD1 when loaded in FTK Imager then you should not have any issues. Just export all the files and work with them as they are. AD1 does not create an actuall image it is simply a container of files as someone has already mentioned.

Paladin works seemlessly if you ever need to convert between various image types. Personally I never had an issue converting a E0x1 to like an E01. I guess you could try contacting Access Data to see if they can provide a solution.  
 
  

grizzlydigital
Newbie
 

Re: Convert .AD1 image to DD raw image

Post Posted: Nov 16, 19 04:10

Thank you for the replies!

JerryW – I just tried your suggestion, it still came out AD1. On the Select Image Destination screen on FTK, it does not allow you to not fragment, which is reserved for Raw DD EO1 and AFF formats.

AmNe5iA – wow thank you, that makes sense. Ok I will research how to create a vhd

Jaclaz – Hmmm, so does that mean I am barking up the wrong tree? It was odd that Paladin will not let me use the converter tool; the tab ‘Image List’ is stuck. I will try creating a physical test image and then try to use Paladin and see if I can actually use the converter.

Sovietpecker – I agree, this is more an exercise for learning/trying to see if others have done it. In this case, my mentor told me to try until I figure it out/do it then report back to him. He has done it before but wants to see if I can. In the end, for the first example we just used FTK Imager to export file listing, and in second example it went to a fancy pants review platform that was able to ingest it. Sumuri Paladin support replied to me, after I post this will be following up with them and will report back.

Update: I created a test image with FTK Imager, this time physical, and Paladin converter worked, so you are correct, the Paladin converter was not working because there was no an 'image' to be converted. Still going to try the vhd, that seems interesting.  
 
  

jaclaz
Senior Member
 

Re: Convert .AD1 image to DD raw image

Post Posted: Nov 16, 19 09:56

Yep, the issue is with the "concept" or "definitions".

A "physical" dd-like image is a copy of an extent, i.e. it is a copy starting at sector m and extending for n sectors, no matter what the contents are.

Normally the source is a disk and m=0 and n=last sector of device.

An (encase) EWF (or .E01, etc.) is a dd-like image but compressed (and if needed split), additionally hashed.
An (FTK) "Smart" (or .s01, etc.) is as above.

See:
www.loc.gov/preservati...0406.shtml

So, independently from which format is used for storing the image. everything inside the extent is actually stored.

You can also make a "physical" image of a logical drive (or volume), if you have m=offset to the volume and n=size of the volume.

A "logical" image (.L01, .AD1) is a copy of a "structure" (like a volume, also called logical drive or a folder/directory), that has a whole number of prerequisites:
the structure needs to be valid
the imaging tool needs to be able to interpret the structure
the amount of filesystem or OS metadata (if any) captured by the tool are depending on the specific filesystem and/or OS

And *anything* that the underlying structure does not expose is not captured (as an example unallocated areas).

So, with this (or that) tool, you can always recreate a perfect copy (or clone) of the original (actually the dd-like copy is an exact copy of the original already) if you captured "physical" (i.e. everything).

If you captured "logical" you essentially got "less" data, so that again you can use this (or that) tool to recreate a (less than perfect) copy of the original, but you need to recreate the data that wasn't captured, a "direct" conversion between logical and physical is not possible and what Mount Image Pro and Forensic Explorer most probably do is to automate the steps:
create a new, empty, "physical" (virtual) device
create in it the necessary structures (MBR/GPT, filesystem)
copy to it the (partial) data contained in the logical
capture a new "physical" image

This new "physical" image is not a "proper" copy it is only some means to access the data captured in a different way.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 3
Page 1, 2, 3  Next