Join Us!

localizing a mounte...
 
Notifications
Clear all

localizing a mounted HD  

Page 1 / 2
  RSS
mrpumba
(@mrpumba)
Active Member

Q I am trying to capture data from the Shadow Volume of a suspects device through an imaged file. I mounted the volume and using the CMD prompt (administrator) ran with the vssadmin command. I am receiving an error message due to the mounted volume (suspects) is not a local volume and vssadmin will not read it. Does anyone know how to mount an imaged file to make it local?

Quote
Posted : 27/08/2012 9:16 pm
keydet89
(@keydet89)
Community Legend

You can do this quite easily using a tool available for free from MS. I covered this in chapter 3 of "Windows Forensic Analysis Toolkit 3/e", but it's also described here

http//windowsir.blogspot.com/2011/01/accessing-volume-shadow-copies.html

…and here

http//justaskweg.com/?p=710

ReplyQuote
Posted : 27/08/2012 9:36 pm
mrpumba
(@mrpumba)
Active Member

Ok, I'll review the information you provided and follow-up.

Thanks
Keydet89

ReplyQuote
Posted : 27/08/2012 9:59 pm
joachimm
(@joachimm)
Active Member

If you feel courageous you can also try (although you'll need linux for this)
http//code.google.com/p/libvshadow/

I recently did a large update and it starts looking promising, but still considered experimental.

ReplyQuote
Posted : 28/08/2012 12:16 am
joachimm
(@joachimm)
Active Member

BTW additional info
http//www.forensicswiki.org/wiki/Windows_Shadow_Volumes

ReplyQuote
Posted : 28/08/2012 12:24 am
jaclaz
(@jaclaz)
Community Legend

Just for the record, you can most probably use Clonedisk (Freeware/GUI) to convert the RAW image to VHD
http//reboot.pro/8480/

or, more simply raw2vhd
http//reboot.pro/9715/
http//reboot.pro/9715/#entry83781

Though from what has been posted here
http//justaskweg.com/?p=710
it seems like the "original" didn't end on a sector boundary, which is "strange".

@keydet89
But what is the actual need to convert it to VHD (or to vmdk)?
I mean, the issue you had with IMDISK is probably connected with the nature of IMDISK, a more "low level" driver such as MS own VSS SDK
http//reboot.pro/index.php?showtopic=6492&hl=
http//www.microsoft.com/en-us/download/details.aspx?id=23490
and possibly
http//msdn.microsoft.com/en-us/library/windows/desktop/bb530728(v=vs.85).aspx
or Total Mounter
http//reboot.pro/15170/
http//www.kernsafe.com/product/totalmounter.aspx
should be able to "mount" directly the RAW image in such a way that is accessible…

jaclaz

ReplyQuote
Posted : 28/08/2012 12:25 am
keydet89
(@keydet89)
Community Legend

@keydet89
But what is the actual need to convert it to VHD (or to vmdk)?

In order to mount the image as a volume, in a manner that would allow access to the available VSCs.

ReplyQuote
Posted : 28/08/2012 12:36 am
jaclaz
(@jaclaz)
Community Legend

In order to mount the image as a volume, in a manner that would allow access to the available VSCs.

I know that, the whole point is that there are more suited drivers than IMDISK to mount the RAW image directly without needing to "convert it" to VHD.

If you prefer I understood the procedure as "Since I found no driver capable of properly mounting the image as local disk then I converted it to a VHD so that I have been able to use …."

jaclaz

ReplyQuote
Posted : 28/08/2012 1:16 am
keydet89
(@keydet89)
Community Legend

…the whole point is that there are more suited drivers than IMDISK to mount the RAW image directly without needing to "convert it" to VHD.

I'm not sure I follow. As you say, you can install a driver, or you can make a minor modification to the image file and use what's already installed (ie, Disk Management).

Is there a chance that you can share what the "more suited drivers" are?

Thanks.

ReplyQuote
Posted : 28/08/2012 2:55 am
mrpumba
(@mrpumba)
Active Member

In Previewing the responses thus far still does not answer my question (at least I don't believe so). Recap I have an eo1 image and using FTK imger mounted the file giving me a listed drive of M I now open a cmd window opening it in admin mode. Cd to M then type "vssadmin list shadows /for=m" I receive an error "cannot list m shadow list because m is not a local drive".
Imaging is not the problem as I know if I can get to the shadow files as stated above I can image it and load into FTK or encase. The issue is getting the system to recognize the FTK mounted e01 file as a local drive????

ReplyQuote
Posted : 28/08/2012 8:54 am
joachimm
(@joachimm)
Active Member

It looks like FTK imager is emulating the mount as remote network share.

So you'll have to use another mount tool that does emulate the mount as a local drive; as people proposed stick to the known methods that other people have used with success before.

Or use Linux with ewfmount and vshadowinfo to bypass Windows completely.

ReplyQuote
Posted : 28/08/2012 10:33 am
jaclaz
(@jaclaz)
Community Legend

Is there a chance that you can share what the "more suited drivers" are?

?
Actually if you read my initial post I listed there TWO likely candidates, including links to them and/or thread where their usage is discussed.
BTW only Windows 7 can mount .vhd's "natively".
!

@mrpumba
The initially given lnks by keydet89 illustrate in detail methods to workaround that issue.

If you are determined to use the .e01 file "as is", then

There is a Commercial product
http//www.mountimage.com/
that can mount .e01 files, but cannot say if it will mount them as "local" or not.

There is also a free tool
http//www.osforensics.com/tools/mount-disk-images.html
that can do the same BUT since it is based on IMDISK, I doubt that it will be able to mount it in a way that is compatible with the vssadmin tool.

jaclaz

ReplyQuote
Posted : 28/08/2012 3:20 pm
mrpumba
(@mrpumba)
Active Member

Ok, thanks for the reply guys, I'll preview more closely on my end.

ReplyQuote
Posted : 28/08/2012 4:22 pm
keydet89
(@keydet89)
Community Legend

Actually if you read my initial post I listed there TWO likely candidates, including links to them and/or thread where their usage is discussed.

I did.

The SDK doesn't help anyone here on this thread really…unless someone here is a a proficient Windows programmer.

The link to the VSS tools and samples doesn't help…that's really nothing more than vssadmin or other tools; you have to have access to the VSC listing in order to use vshadow.exe to expose a VSC locally
http//msdn.microsoft.com/en-us/library/windows/desktop/bb530725(v=vs.85).aspx#exposing_a_shadow_copy_locally

KernSafe's product looks interesting, even if the company is from Beijing…but I really don't see a great deal of difference between mounting the image via vhdtool + Disk Manager, and using Total Mounter. Not having tested Total Mounter yet, I'd be interested to see if it's able to mount read-only (I wasn't able to access the data sheet this morning).

When I asked the question, I saw no reference to your initial post, and as such thought that you'd added something new to the conversation. My apologies.

ReplyQuote
Posted : 28/08/2012 5:39 pm
jaclaz
(@jaclaz)
Community Legend

When I asked the question, I saw no reference to your initial post, and as such thought that you'd added something new to the conversation. My apologies.

No prob ) , but still there is still IMHO a form of misunderstanding.

The IMDISK uses some approaches that are somehow "higher level" than other drivers, what is actually mounted in IMDISK are Volumes or Partitions (and NOT "disks").

As an example KenKato's VDK has a "lower level" approach, enough to access the "whole disk" as \\.\PhysicalDriven but "not low enough" to let the disk be seen in Disk Manager.

The VSS SDK (without the need of *any* programming skills) provides, as illustrated in the given link
http//reboot.pro/index.php?showtopic=6492&hl=
the means

virtual storage driver (virtualstorage.sys) and virtual storage controller (vstorcontrol.exe)

to mount a "whole disk" in a way that it is seen in disk management, i.e. "as low-level" or "as native" as possible.
I will risk quoting myself 😯

The VSS drives are "as low level" and "as plug 'n play" as possible, meaning that when you run them and mount an image you will get (I am talking of the 32 bit version on XP, but the 64 bit one will probably be the same)

  1. a tray notification for "found new hardware"
  2. the image appears in disk management as a disk
  3. it is accessible through \\.\PhysicalDriven
  4. the formatted volumes/drives get a drive letter by mount manager
  5. the disk geometry is by default 255/63

VDK misses points #1 and #2 above and you need a .pln or .vmdk file to have the 255/63 geometry as the default is 64/32.

There are seemingly issues with the Windows 7 version, though.

Total Mounter has a similar "low-level" approach, but it's usage is a bit more convenient, being GUI and AFAICT works allright in Windows 7 also.

They were/are only meant as "ideas", JFYI, for further experiments.

With all due respect ) , I completely fail to understand how the company making the tool being Chinese is worth of note, still for the record, a few examples
Imdisk Author Olof Lagerkvist is from Sweden
VDK Author Ken Kato is from Japan
firadisk Author karionix is from Thailand
Winvblock Author sha0 is from Canada
MS VSS Authors are presumably from the US
Total Mounter (Kernsafe) is from China
the (very little) contributions by me are coming from Italy …
… it looks like in the Virtual Disk drivers development nationality is fairly heterogeneous….

jaclaz

ReplyQuote
Posted : 28/08/2012 6:33 pm
Page 1 / 2
Share: