Join Us!

Convert .AD1 image ...
 
Notifications
Clear all

Convert .AD1 image to DD raw image  

Page 1 / 2
  RSS
grizzlydigital
(@grizzlydigital)
New Member

Hello,
Looking for an alternative method to convert .ad1 image to DD.

I have heard Mount Image Pro and Forensic Explorer can accomplish this, but I am treating it more like a challenge to learn and MacGyver a solution, if possible.

Here is the context
Context 1 Recently had a limited amount of time to access a desktop for collection, so used FTK Imager 4.2.1.4 to collect logical C drive, so FTK Imager’s output was automatically AD1.
Context 2 A colleague with same issue (limited amount of time), was instructed to perform live targeted collection; he used FTK Imager to collect a user folder (FTK lists as ‘Contents of a Folder” when you are choosing type of image you want to create i.e. Physical/Logical, etc.).

Back at the lab, EnCase would not ingest the ad1 images.

Here is what I have tried
Tried using FTK Imager (not the full suite, just imager) to export the image, but that option is greyed out (Selected File, Add Evidence Item, Once added to evidence tree on left, right clicked, but ‘Export Disk Image…’ greyed out/not selectable).

Tried Paladin 7.05 USB, the Paladin Toolbox has an Image Converter option. Read the manual and confirmed it wants the external drive mounted as RW, so mounted drive containing the image. Was unable to use Paladin Image Converter even after following the instructions and mounting RW. I cannot click/select ‘Image List’ - it does not list any images, cannot be selected to make it drop down, and clicking the refresh button on the right hand side does not do anything.

Tried googling, checked youtube, and of course checked these forums before posting. Mostly finding info on E01 to DD, or forums telling me to purchase Forensic Explorer.

Do I need to perform an update? It says Paladin 7.05 on the toolbox. Any guidance is appreciated. Emailed Sumuri, so far haven’t heard back, wondering if its a bug or I need to update my Paladin, as it was strange that Paladin Toolbox’s Image Converter is stuck/unclickable for the tab ‘Image List’ - it does not list any images, cannot be selected to make it drop down, and clicking the refresh button on the right hand side does not do anything.

Back at the lab I just created a small test image of a folder with FTK Imager in ad1, tried the different versions of Paladin including 32-bit Paladin Edge, same issue cannot get the converter to list the ad1 image.

One colleague I shared the above with has recommended I try Autopsy, which is included in the Paladin accessories, as well as in Kali Linux. I have found some content online for creating a DD image with linux, but I want to ensure that I convert the ad1 to DD, not just create a DD image containing the ad1 file!

I will try using Autopsy, but open to any other ideas. Any guidance would be appreciated.

Thank you,

Rory

Quote
Posted : 15/11/2019 4:59 am
JerryW
(@jerryw)
Junior Member

Does it work in FTK Imager if you 'Create Disk Image' and direct it to the AD1 file as the source; rather than 'Add Evidence Item'?

ReplyQuote
Posted : 15/11/2019 9:35 am
AmNe5iA
(@amne5ia)
Active Member

Essentially what you are trying to do is create a disk image out of something that isn't a disk image. an AD1 is just a collection of files, similar in concept to files in a zip file. To create a disk image out of that you need to restore the files to an actual disk and then image that. Simplest way would be to create a vhd using Disk management under windows then restore the files to that before taking it offline. Either use the vhd as your disk image or, if you need to, use some tool to "convert" it to a DD.

ReplyQuote
Posted : 15/11/2019 10:07 am
jaclaz
(@jaclaz)
Community Legend

Essentially what you are trying to do is create a disk image out of something that isn't a disk image. an AD1 is just a collection of files, similar in concept to files in a zip file. To create a disk image out of that you need to restore the files to an actual disk and then image that. Simplest way would be to create a vhd using Disk management under windows then restore the files to that before taking it offline. Either use the vhd as your disk image or, if you need to, use some tool to "convert" it to a DD.

And the result would be not an image (in the "normal" forensic sense), but rather a "container" device where files were written to, so most of the metadata that are available from a "physical" image will be "wrong".

Only for the record a .vhd (static) is ALREADY a dd (RAW) image with one single sector (the so-called CONECTIX sector) appended.

The conversion amounts to either
1) ignore that sector
2) resize the file removing that sector

jaclaz

ReplyQuote
Posted : 15/11/2019 10:49 am
sovietpecker
(@sovietpecker)
Junior Member

I am trying to understand why you are trying to create raw image from the AD1 file. If you can see the files in the AD1 when loaded in FTK Imager then you should not have any issues. Just export all the files and work with them as they are. AD1 does not create an actuall image it is simply a container of files as someone has already mentioned.

Paladin works seemlessly if you ever need to convert between various image types. Personally I never had an issue converting a E0x1 to like an E01. I guess you could try contacting Access Data to see if they can provide a solution.

ReplyQuote
Posted : 15/11/2019 11:58 am
grizzlydigital
(@grizzlydigital)
New Member

Thank you for the replies!

JerryW – I just tried your suggestion, it still came out AD1. On the Select Image Destination screen on FTK, it does not allow you to not fragment, which is reserved for Raw DD EO1 and AFF formats.

AmNe5iA – wow thank you, that makes sense. Ok I will research how to create a vhd

Jaclaz – Hmmm, so does that mean I am barking up the wrong tree? It was odd that Paladin will not let me use the converter tool; the tab ‘Image List’ is stuck. I will try creating a physical test image and then try to use Paladin and see if I can actually use the converter.

Sovietpecker – I agree, this is more an exercise for learning/trying to see if others have done it. In this case, my mentor told me to try until I figure it out/do it then report back to him. He has done it before but wants to see if I can. In the end, for the first example we just used FTK Imager to export file listing, and in second example it went to a fancy pants review platform that was able to ingest it. Sumuri Paladin support replied to me, after I post this will be following up with them and will report back.

Update I created a test image with FTK Imager, this time physical, and Paladin converter worked, so you are correct, the Paladin converter was not working because there was no an 'image' to be converted. Still going to try the vhd, that seems interesting.

ReplyQuote
Posted : 16/11/2019 4:10 am
jaclaz
(@jaclaz)
Community Legend

Yep, the issue is with the "concept" or "definitions".

A "physical" dd-like image is a copy of an extent, i.e. it is a copy starting at sector m and extending for n sectors, no matter what the contents are.

Normally the source is a disk and m=0 and n=last sector of device.

An (encase) EWF (or .E01, etc.) is a dd-like image but compressed (and if needed split), additionally hashed.
An (FTK) "Smart" (or .s01, etc.) is as above.

See
https://www.loc.gov/preservation/digital/formats/fdd/fdd000406.shtml

So, independently from which format is used for storing the image. everything inside the extent is actually stored.

You can also make a "physical" image of a logical drive (or volume), if you have m=offset to the volume and n=size of the volume.

A "logical" image (.L01, .AD1) is a copy of a "structure" (like a volume, also called logical drive or a folder/directory), that has a whole number of prerequisites
the structure needs to be valid
the imaging tool needs to be able to interpret the structure
the amount of filesystem or OS metadata (if any) captured by the tool are depending on the specific filesystem and/or OS

And *anything* that the underlying structure does not expose is not captured (as an example unallocated areas).

So, with this (or that) tool, you can always recreate a perfect copy (or clone) of the original (actually the dd-like copy is an exact copy of the original already) if you captured "physical" (i.e. everything).

If you captured "logical" you essentially got "less" data, so that again you can use this (or that) tool to recreate a (less than perfect) copy of the original, but you need to recreate the data that wasn't captured, a "direct" conversion between logical and physical is not possible and what Mount Image Pro and Forensic Explorer most probably do is to automate the steps
create a new, empty, "physical" (virtual) device
create in it the necessary structures (MBR/GPT, filesystem)
copy to it the (partial) data contained in the logical
capture a new "physical" image

This new "physical" image is not a "proper" copy it is only some means to access the data captured in a different way.

jaclaz

ReplyQuote
Posted : 16/11/2019 9:56 am
grizzlydigital
(@grizzlydigital)
New Member

jaclaz -

Wow, thank you, your explanation helped me grasp the concept in a way that had not stuck before. If it's not too much trouble, can you please elaborate / point me to any resources/tutorials on your comments below? I would like to test out/learn to complete the scenarios you describe.

“You can also make a "physical" image of a logical drive (or volume), if you have m=offset to the volume and n=size of the volume.”

This is what I am very interested in, being able to use the command line to create a “physical” image of a logical drive (or volume).


“what Mount Image Pro and Forensic Explorer most probably do is to automate the steps
create a new, empty, "physical" (virtual) device
create in it the necessary structures (MBR/GPT, filesystem)
copy to it the (partial) data contained in the logical
capture a new "physical" image”

So the process you describe above can be run from the command line? I would love to use my test laptop and do exactly as you say above, it sounds like a challenge.

Forgive my ignorance, and I am off to read the link you provided!

ReplyQuote
Posted : 17/11/2019 1:21 am
jaclaz
(@jaclaz)
Community Legend

Ler's use a fictitious disk-like device as an example with 1,000,000 of sectors (with sectors sized 512 bytes each).
This give us a total size of 512,000,000 bytes, made of 1,000,000 of sectors addressed from sector LBA (offset) 0.

Let's say that on windows, the device is seen as Disk 2 or \\.\PhysicalDrive2 [1].

So a command to make an image of the whole device would be on a "normal" dd tool[2]
dd if=\\.\PhysicalDrive2 of=D\mymiceimageofPH2.dd bs=512 skip=0 count=1000000

With dsfo http//members.ozemail.com.au/~nulifetv/freezip/freeware/
dsfo \\.\PhysicalDrive2 0 512000000 D\myniceimageofPH2.dd

With dd for Windows http//www.chrysocome.net/dd

dd if=\\?\Device\Harddisk2\Partition0 D\myniceimageofPH2.dd bs=512 skip=0 count=1000000

etc.

Now, the disk device is partitioned. let us assume MBR style and with just one primary partition/volume.
The data in the MBR partition table will tell you where (LBA/offset) the volume begins and how many sectors in size it is.
On a modern windows the first partition has normally 2048 sectors before (i.e. it starts at LBA 2048) and - to fit in our fictitious device it must be less than (1000000-2048) 997952 sectors, let's say that this partition is 600000 sectors in size and that the rest of the device is unallocated/unused.

If the partition table is valid, the Windows will mount the volume and assign to it a drive letter, let's say F .

If you want to copy just that volume you can have
dsfo \\.\F 0 307200000 D\myniceimageofF.dd

With dd for windows
dd if=\\?\Device\Harddisk2\Partition1 D\myniceimageofF.dd bs=512 skip=0 count=600000

But you can also image directly the extent in which the volume is residing
http//www.chrysocome.net/dd-backdoor
dd if=\\?\Device\Harddisk2\Partition0 of=D\myniceimageofF.dd bs=512 skip=2048 count=600000

And once you will have digested the above and made some experiments with various dd-like tools, we will talk of the twilight zone 😯

http//reboot.pro/topic/18034-mounting-partition-raw-image-created-with-dsfo/

jaclaz

[1] a device may be accessible under different syntax/ID's on NT systems and one program may use the one or the other
[2] which is not so normal on Windows, see (for the fun of it)
http//reboot.pro/topic/15207-why-everything-is-so-dmn-diificult-a-web-quest-for-ddexe/

ReplyQuote
Posted : 17/11/2019 10:27 am
grizzlydigital
(@grizzlydigital)
New Member

jaclaz -

Man, thank you. I apologize for late reply, and as soon as I can catch my breath I will report back with my attempts.

I did receive an update from Sumuri regarding Paladin

"As of now Paladin does not support AD1 files that is why it is not detecting it for conversion. We will add it to our list for future updates to Paladin."

Makes sense, based on your explanation and others on the thread.

Cheers

ReplyQuote
Posted : 21/11/2019 5:06 am
bshavers
(@bshavers)
Active Member

An easy solution to future collections to avoid converting logical images is to create a real image with X-Ways. I suspect other tools will eventually catch on to what X-Ways does, but it's worth taking a look at X-Ways Forensics or just the X-Ways Imager (less expensive than X-Ways Forensics).

Take a look at the chart of Cleansed/Skeleton/Container formats for specs http//x-ways.net/investigator/containers_vs_skeleton_images.html

One of the neat things is "Preserves original offsets and original distances between various data and metadata". X-Ways images the disk with only the files you select, or doesn't image the files you don't want (there is a difference in concept and result with each of these).

Files selected to be imaged are those that you want and nothing else, such as only MS Word docs (Skeleton image).
Files omitted from imaging are those that you don't want, like privileged data (Cleansed image).

I've mostly gone away from containers in ediscovery collections since you can make a real forensic image of responsive files without having to convert a container into another format to work in different tools. If a client or opposing expert wants a container, the X-Ways (cleansed or skeleton) image can be used to create a container using FTK Imager or other container tool.

ReplyQuote
Posted : 21/11/2019 6:58 pm
jaclaz
(@jaclaz)
Community Legend

@bitshavers

With all due respect, those are exceptionally good solutions ) to some cases only (and in the hands of people that really know where their towel is).

With a RAW (or dd-like or "physical") image (which takes time to create, uses a lot of disk space, etc.) you have 100% of the information.

With anything else you are extracting some subset(s) of the original information.

The nice formats by X-Ways are IMHO appropriate, particularly the cleansed format in - as you say - e-discovery to deal with "privileged data" and the "skeleton", still in e-discovery, to maintain only a given format of file.

But they are not IMHO suitable for a "generic", "all round" investigation.

jaclaz

ReplyQuote
Posted : 22/11/2019 9:02 am
Rich2005
(@rich2005)
Active Member

@bitshavers

With all due respect, those are exceptionally good solutions ) to some cases only (and in the hands of people that really know where their towel is).

With a RAW (or dd-like or "physical") image (which takes time to create, uses a lot of disk space, etc.) you have 100% of the information.

With anything else you are extracting some subset(s) of the original information.

The nice formats by X-Ways are IMHO appropriate, particularly the cleansed format in - as you say - e-discovery to deal with "privileged data" and the "skeleton", still in e-discovery, to maintain only a given format of file.

But they are not IMHO suitable for a "generic", "all round" investigation.

jaclaz

Isn't the point that the original poster is already doing targeted collections, and Brett's simply suggesting better ways of doing them, rather than the AD1 method? (I don't believe it's being suggested as a replacement for a full forensic image where appropriate/possible)

ReplyQuote
Posted : 22/11/2019 11:42 am
bshavers
(@bshavers)
Active Member

Not my place to say which image format is better than another for any given situation; each case is different, objectives vary, and each of us have our own personal preferences. The OP suggested Mount Image Pro, which is an option of mounting the Ad container, but still requires additional steps to access the data with other tools.

FTK Imager is a great imaging/collection tool and decent preview tool. My point is that AD advises that the AD1 file cannot be converted to a sector image format and can only be read by FTK. It is a nice (and free) tool, but it reduces data accessibility and can add quite a bit of time to mount, export, and/or convert into a different format for a non-AD tool to read.

Creating something different out of an AD1 container
-Export the native files into a folder, and
—Recapture the files from that folder using a different tool, such as Encase into a different container format such as an Encase logical container, or
-Mount the AD1 container as a drive letter and recapture the mounted container as above, or
-Export the native files to an external media (wiped prior) and
—Create an image (dd or eo1) of the external media

Or, create an eo1 image on the initial targeted collection with X-Ways.

Fewer steps will reduce the risk of errors and mistakes, along with reducing the number of differently formatted source evidence files.

ReplyQuote
Posted : 22/11/2019 4:58 pm
jaclaz
(@jaclaz)
Community Legend

Isn't the point that the original poster is already doing targeted collections, and Brett's simply suggesting better ways of doing them, rather than the AD1 method? (I don't believe it's being suggested as a replacement for a full forensic image where appropriate/possible)

I don't know what the point is. 😯

The OP, for what I see as "futile reasons" (had a limited amount of time to access a desktop for collection) and a colleague of his (for the same reason) both did something they didn't know enough about and then had issues.

I am pretty sure that Brett (whom I consider among the people who really know where their towel is ) ) is perfectly capable of choosing the "right" acquisition format suitable for the specific targeted acquisition/case and also load, mount, convert, transform. export and import, from and to each and every format, knowing exactly what each format contains or does not contain and which tool to use in each and every situation.

And surely the X-ways formats he pointed out are (like most of the things connected with Winhex/X-ways) are intelligent, well designed and useful where appropriate.

Still, a dd-like image contains 100% of data, and any format containing less than that should be chosen only after being very, very sure that is suitable to the case at hand and that you know how to use it.

My previous post was only a generic warning of the kind

https://en.wikipedia.org/wiki/Objects_in_mirror_are_closer_than_they_appear

jaclaz

ReplyQuote
Posted : 22/11/2019 5:33 pm
Page 1 / 2
Share: