±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36115
New Yesterday: 5 Visitors: 141

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Mounting an image

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next 
  

keydet89
Senior Member
 

Re: Mounting an image

Post Posted: Mar 27, 07 17:54

LiveView creates an extent description for my test image that includes these lines:

# Extent description
RW 9510417 FLAT "D:\hacking\image.dd" 0
RW 3843 ZERO

Using ProDiscover's VMWare support functionality, I get this instead:

# Extent description
RW 9514260 FLAT "image.dd"0

The drive geometry stuff is different in each file, which I think may be the issue. I found some info that lets me use vmware-mount.exe to mount the active snapshot produced by LiveView as a drive letter, but that isn't read-only. I'll need to do testing to come up with a suitable process.

Harlan  
 
  

hogfly
Senior Member
 

Re: Mounting an image

Post Posted: Mar 27, 07 18:43

Where the heck did liveview come up with the 3843? That's probably what's throwing off your geometry. Does your image have a recovery partition?

What would happen I wonder if you took the liveview description and changed it to match the Prodiscover one?  
 
  

keydet89
Senior Member
 

Re: Mounting an image

Post Posted: Mar 27, 07 19:14

No, no recovery partition.

I added the two numbers in the extent description from the LiveView .vmdk file, and got the same value as in the ProDiscover .vmdk file. I removed the second line from the LiveView .vmdk file and replaced the value in the first line with the sum of the two values, and used VDKWin to mount the file structure read-only.

I also emailed the LiveView folks with the info to see what's up.

The only issue I see so far is getting from the dd image to the .vmdk file. Vmware-mount.exe, free from VMWare, lets you mount the image as a drive, but it's not read-only. An option would be to copy the dd image file, produce the .vmdk file for the copy of the image and then run your tests against the copy rather than the original.

Harlan  
 
  

hogfly
Senior Member
 

Re: Mounting an image

Post Posted: Mar 27, 07 20:30

Harlan,
You should be able to mount the vmware image read only in linux using the vmware-mount -r command. I haven't tried this in windows though.

I don't have vdk or vmware-mount ready to test this, but does the /WB (for write block) flag in VDK help with mounting it read only?  
 
  

keydet89
Senior Member
 

Re: Mounting an image

Post Posted: Mar 27, 07 20:43

hogfly,

I understand about Linux, but I'm trying to work out the process so that others (cops, junior analysts, etc.) can use it. I know that the easy answer would be to use Mount Image Pro, but I'm trying to come up with a freeware alternative that runs on Windows.

As far as the VDK solution, I found VDKWin to be useful and very beneficial for what I'm trying to do...it just doesn't have a "find all evidence" button! Wink  
 
  

mickpen
Member
 

Re: Mounting an image

Post Posted: Mar 27, 07 21:00

- keydet89
I found some info that lets me use vmware-mount.exe to mount the active snapshot produced by LiveView as a drive letter, but that isn't read-only. I'll need to do testing to come up with a suitable process.

Harlan


IMHO, if you can mount the snapshot and gain access as a drive letter then you have achieved 'pseudo' read-only access as all disk writes will be sent to the snapshot rather than modifying anything in the original dd image.

I don't use dd as a rule but maybe you could make your dd files read only, create the snapshot as you have done and then use vmware-mount for access as you have already described. Would this give you the desired result?  
 
  

keydet89
Senior Member
 

Re: Mounting an image

Post Posted: Mar 27, 07 21:14

Mickpen,

Yes, I received a response from the CERT guys along the same lines as what you said regarding the snapshot.

Hashing the image file itself (not the snapshot) before and after the process would be an effective way to go. This is all stuff that needs to be documented in the process.

Thanks,

Harlan  
 

Page 4 of 10
Page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next