Convert .AD1 image ...
 
Notifications
Clear all

Convert .AD1 image to DD raw image

17 Posts
7 Users
0 Likes
11.3 K Views
grizzlydigital
(@grizzlydigital)
Posts: 14
Active Member
Topic starter
 

Hello,
Looking for an alternative method to convert .ad1 image to DD.

I have heard Mount Image Pro and Forensic Explorer can accomplish this, but I am treating it more like a challenge to learn and MacGyver a solution, if possible.

Here is the context
Context 1 Recently had a limited amount of time to access a desktop for collection, so used FTK Imager 4.2.1.4 to collect logical C drive, so FTK Imager’s output was automatically AD1.
Context 2 A colleague with same issue (limited amount of time), was instructed to perform live targeted collection; he used FTK Imager to collect a user folder (FTK lists as ‘Contents of a Folder” when you are choosing type of image you want to create i.e. Physical/Logical, etc.).

Back at the lab, EnCase would not ingest the ad1 images.

Here is what I have tried
Tried using FTK Imager (not the full suite, just imager) to export the image, but that option is greyed out (Selected File, Add Evidence Item, Once added to evidence tree on left, right clicked, but ‘Export Disk Image…’ greyed out/not selectable).

Tried Paladin 7.05 USB, the Paladin Toolbox has an Image Converter option. Read the manual and confirmed it wants the external drive mounted as RW, so mounted drive containing the image. Was unable to use Paladin Image Converter even after following the instructions and mounting RW. I cannot click/select ‘Image List’ - it does not list any images, cannot be selected to make it drop down, and clicking the refresh button on the right hand side does not do anything.

Tried googling, checked youtube, and of course checked these forums before posting. Mostly finding info on E01 to DD, or forums telling me to purchase Forensic Explorer.

Do I need to perform an update? It says Paladin 7.05 on the toolbox. Any guidance is appreciated. Emailed Sumuri, so far haven’t heard back, wondering if its a bug or I need to update my Paladin, as it was strange that Paladin Toolbox’s Image Converter is stuck/unclickable for the tab ‘Image List’ - it does not list any images, cannot be selected to make it drop down, and clicking the refresh button on the right hand side does not do anything.

Back at the lab I just created a small test image of a folder with FTK Imager in ad1, tried the different versions of Paladin including 32-bit Paladin Edge, same issue cannot get the converter to list the ad1 image.

One colleague I shared the above with has recommended I try Autopsy, which is included in the Paladin accessories, as well as in Kali Linux. I have found some content online for creating a DD image with linux, but I want to ensure that I convert the ad1 to DD, not just create a DD image containing the ad1 file!

I will try using Autopsy, but open to any other ideas. Any guidance would be appreciated.

Thank you,

Rory

 
Posted : 15/11/2019 4:59 am
(@jerryw)
Posts: 56
Trusted Member
 

Does it work in FTK Imager if you 'Create Disk Image' and direct it to the AD1 file as the source; rather than 'Add Evidence Item'?

 
Posted : 15/11/2019 9:35 am
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Essentially what you are trying to do is create a disk image out of something that isn't a disk image. an AD1 is just a collection of files, similar in concept to files in a zip file. To create a disk image out of that you need to restore the files to an actual disk and then image that. Simplest way would be to create a vhd using Disk management under windows then restore the files to that before taking it offline. Either use the vhd as your disk image or, if you need to, use some tool to "convert" it to a DD.

 
Posted : 15/11/2019 10:07 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Essentially what you are trying to do is create a disk image out of something that isn't a disk image. an AD1 is just a collection of files, similar in concept to files in a zip file. To create a disk image out of that you need to restore the files to an actual disk and then image that. Simplest way would be to create a vhd using Disk management under windows then restore the files to that before taking it offline. Either use the vhd as your disk image or, if you need to, use some tool to "convert" it to a DD.

And the result would be not an image (in the "normal" forensic sense), but rather a "container" device where files were written to, so most of the metadata that are available from a "physical" image will be "wrong".

Only for the record a .vhd (static) is ALREADY a dd (RAW) image with one single sector (the so-called CONECTIX sector) appended.

The conversion amounts to either
1) ignore that sector
2) resize the file removing that sector

jaclaz

 
Posted : 15/11/2019 10:49 am
(@d1m4g3r)
Posts: 28
Eminent Member
 

I am trying to understand why you are trying to create raw image from the AD1 file. If you can see the files in the AD1 when loaded in FTK Imager then you should not have any issues. Just export all the files and work with them as they are. AD1 does not create an actuall image it is simply a container of files as someone has already mentioned.

Paladin works seemlessly if you ever need to convert between various image types. Personally I never had an issue converting a E0x1 to like an E01. I guess you could try contacting Access Data to see if they can provide a solution.

 
Posted : 15/11/2019 11:58 am
grizzlydigital
(@grizzlydigital)
Posts: 14
Active Member
Topic starter
 

Thank you for the replies!

JerryW – I just tried your suggestion, it still came out AD1. On the Select Image Destination screen on FTK, it does not allow you to not fragment, which is reserved for Raw DD EO1 and AFF formats.

AmNe5iA – wow thank you, that makes sense. Ok I will research how to create a vhd

Jaclaz – Hmmm, so does that mean I am barking up the wrong tree? It was odd that Paladin will not let me use the converter tool; the tab ‘Image List’ is stuck. I will try creating a physical test image and then try to use Paladin and see if I can actually use the converter.

Sovietpecker – I agree, this is more an exercise for learning/trying to see if others have done it. In this case, my mentor told me to try until I figure it out/do it then report back to him. He has done it before but wants to see if I can. In the end, for the first example we just used FTK Imager to export file listing, and in second example it went to a fancy pants review platform that was able to ingest it. Sumuri Paladin support replied to me, after I post this will be following up with them and will report back.

Update I created a test image with FTK Imager, this time physical, and Paladin converter worked, so you are correct, the Paladin converter was not working because there was no an 'image' to be converted. Still going to try the vhd, that seems interesting.

 
Posted : 16/11/2019 4:10 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Yep, the issue is with the "concept" or "definitions".

A "physical" dd-like image is a copy of an extent, i.e. it is a copy starting at sector m and extending for n sectors, no matter what the contents are.

Normally the source is a disk and m=0 and n=last sector of device.

An (encase) EWF (or .E01, etc.) is a dd-like image but compressed (and if needed split), additionally hashed.
An (FTK) "Smart" (or .s01, etc.) is as above.

See
https://www.loc.gov/preservation/digital/formats/fdd/fdd000406.shtml

So, independently from which format is used for storing the image. everything inside the extent is actually stored.

You can also make a "physical" image of a logical drive (or volume), if you have m=offset to the volume and n=size of the volume.

A "logical" image (.L01, .AD1) is a copy of a "structure" (like a volume, also called logical drive or a folder/directory), that has a whole number of prerequisites
the structure needs to be valid
the imaging tool needs to be able to interpret the structure
the amount of filesystem or OS metadata (if any) captured by the tool are depending on the specific filesystem and/or OS

And *anything* that the underlying structure does not expose is not captured (as an example unallocated areas).

So, with this (or that) tool, you can always recreate a perfect copy (or clone) of the original (actually the dd-like copy is an exact copy of the original already) if you captured "physical" (i.e. everything).

If you captured "logical" you essentially got "less" data, so that again you can use this (or that) tool to recreate a (less than perfect) copy of the original, but you need to recreate the data that wasn't captured, a "direct" conversion between logical and physical is not possible and what Mount Image Pro and Forensic Explorer most probably do is to automate the steps
create a new, empty, "physical" (virtual) device
create in it the necessary structures (MBR/GPT, filesystem)
copy to it the (partial) data contained in the logical
capture a new "physical" image

This new "physical" image is not a "proper" copy it is only some means to access the data captured in a different way.

jaclaz

 
Posted : 16/11/2019 9:56 am
grizzlydigital
(@grizzlydigital)
Posts: 14
Active Member
Topic starter
 

jaclaz -

Wow, thank you, your explanation helped me grasp the concept in a way that had not stuck before. If it's not too much trouble, can you please elaborate / point me to any resources/tutorials on your comments below? I would like to test out/learn to complete the scenarios you describe.

“You can also make a "physical" image of a logical drive (or volume), if you have m=offset to the volume and n=size of the volume.”

This is what I am very interested in, being able to use the command line to create a “physical” image of a logical drive (or volume).


“what Mount Image Pro and Forensic Explorer most probably do is to automate the steps
create a new, empty, "physical" (virtual) device
create in it the necessary structures (MBR/GPT, filesystem)
copy to it the (partial) data contained in the logical
capture a new "physical" image”

So the process you describe above can be run from the command line? I would love to use my test laptop and do exactly as you say above, it sounds like a challenge.

Forgive my ignorance, and I am off to read the link you provided!

 
Posted : 17/11/2019 1:21 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Ler's use a fictitious disk-like device as an example with 1,000,000 of sectors (with sectors sized 512 bytes each).
This give us a total size of 512,000,000 bytes, made of 1,000,000 of sectors addressed from sector LBA (offset) 0.

Let's say that on windows, the device is seen as Disk 2 or \\.\PhysicalDrive2 [1].

So a command to make an image of the whole device would be on a "normal" dd tool[2]
dd if=\\.\PhysicalDrive2 of=D\mymiceimageofPH2.dd bs=512 skip=0 count=1000000

With dsfo http//members.ozemail.com.au/~nulifetv/freezip/freeware/
dsfo \\.\PhysicalDrive2 0 512000000 D\myniceimageofPH2.dd

With dd for Windows http//www.chrysocome.net/dd

dd if=\\?\Device\Harddisk2\Partition0 D\myniceimageofPH2.dd bs=512 skip=0 count=1000000

etc.

Now, the disk device is partitioned. let us assume MBR style and with just one primary partition/volume.
The data in the MBR partition table will tell you where (LBA/offset) the volume begins and how many sectors in size it is.
On a modern windows the first partition has normally 2048 sectors before (i.e. it starts at LBA 2048) and - to fit in our fictitious device it must be less than (1000000-2048) 997952 sectors, let's say that this partition is 600000 sectors in size and that the rest of the device is unallocated/unused.

If the partition table is valid, the Windows will mount the volume and assign to it a drive letter, let's say F .

If you want to copy just that volume you can have
dsfo \\.\F 0 307200000 D\myniceimageofF.dd

With dd for windows
dd if=\\?\Device\Harddisk2\Partition1 D\myniceimageofF.dd bs=512 skip=0 count=600000

But you can also image directly the extent in which the volume is residing
http//www.chrysocome.net/dd-backdoor
dd if=\\?\Device\Harddisk2\Partition0 of=D\myniceimageofF.dd bs=512 skip=2048 count=600000

And once you will have digested the above and made some experiments with various dd-like tools, we will talk of the twilight zone 😯

http//reboot.pro/topic/18034-mounting-partition-raw-image-created-with-dsfo/

jaclaz

[1] a device may be accessible under different syntax/ID's on NT systems and one program may use the one or the other
[2] which is not so normal on Windows, see (for the fun of it)
http//reboot.pro/topic/15207-why-everything-is-so-dmn-diificult-a-web-quest-for-ddexe/

 
Posted : 17/11/2019 10:27 am
grizzlydigital
(@grizzlydigital)
Posts: 14
Active Member
Topic starter
 

jaclaz -

Man, thank you. I apologize for late reply, and as soon as I can catch my breath I will report back with my attempts.

I did receive an update from Sumuri regarding Paladin

"As of now Paladin does not support AD1 files that is why it is not detecting it for conversion. We will add it to our list for future updates to Paladin."

Makes sense, based on your explanation and others on the thread.

Cheers

 
Posted : 21/11/2019 5:06 am
Page 1 / 2
Share: