Potentially serious...
 
Notifications
Clear all

Potentially serious bugs in FTK Imager v4.5.0.3. (October 2020 release)

5 Posts
4 Users
1 Likes
6,743 Views
JimC
 JimC
(@jimc)
Posts: 86
Estimable Member
Topic starter
 

There are two potentially serious bugs in the image mount feature of the most recent FTK Imager. The problems are simple to reproduce.

 

Bugs:

  • When an E01 image is mounted, the resulting virtual disk is ~32MB bigger than the underlying image. The virtual disk is thus not a faithful copy of the original image and has a different hash. (The tool adds a fake EFI partition table and 32MB when it mounts an image)
  • Attempting to bulk read (e.g. re-image) a virtual disk may fail with a sector unreadable error.

 

Practically, this means that images mounted using the most recent FTK Imager

  • Cannot be live booted
  • Will have a different hash
  • Cannot be reliable read

 

Access Data acknowledged this problem in November 2020 and are currently investigating a fix. I have created test images to illustrate this problem. These can be downloaded here:

https://drive.google.com/file/d/1d6521rZ-Ah41MTfEdTzRx_Hn4OBxT6fi

 

Test procedure:

1. Wipe test disk and create a single NTFS partition
2. Image using FTK Imager v4.5.0.3: "BaseImage.E01"
    Image reported as containing 234441648 sectors (correct)
3. Mount previous image "BaseImage.E01" using FTK Imager v4.5.0.3
    Re-image using FTK Imager v4.5.0.3: "ImageOfImage.E01"
    Re-image reported as containing 234507251 sectors (incorrect)
    Error reported: The following sector(s) on the source drive could not be read: 234507218
    e.g. Excess ~32MB over the original base image
4. Mount previous image "ImageOfImage.E01" using FTK Imager v4.5.0.3
    Re-image using FTK Imager v4.5.0.3: "ImageOfImageOfImage.E01"
    Re-image reported as containing 234572854 sectors (incorrect)
    Error reported: The following sector(s) on the source drive could not be read: 234572821
    e.g. Excess ~64MB over the original base image

 

Jim

www.binarymarkup.com

 
Posted : 22/01/2021 11:55 am
trewmte reacted
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

Great work, Jim. Thanks for sharing your research.

 
Posted : 27/01/2021 6:26 pm
(@auptyk)
Posts: 2
New Member
 

I typically only use disk mounting to open files in native Windows apps (say photos, videos, etc), run virus scans, run python scripts over it (I don't have the time learn how to unpack a forensic image in python haha), or run CMD/PowerShell commands like VSC checking. I have never had any issues with reliable reads with the new version in these use cases. 

With the second bug you listed, Imager has workflows for imaging an image. It does not require mounting an image. 

If you would like to create a full image of an image: 

File>Create image

  • Select Image File
  • Browse to Image
  • Add a Destination
  • Select output image format (E01, DD)
  • Run it. 

You can also Image just a partition to a physical image: 

File>Add Evidence

  • Browse to and select image
  • Right click on the desired partition
  • Export to disk image
  • Select format (E01, DD)
  • Specify destination
  • Run it. 

You can also Image just the file system (logical image, files only):

File>Add Evidence

  • Browse to and select Image
  • Expand partition
  • Select the file system
  • Right click and select Export to Logical Image (AD1)
  • Specify destination
  • Run it. 

Imager uses Eldos drivers/tech to mount images (first time you go to mount you have probably noticed this pops up). 

 
Posted : 29/01/2021 7:32 pm
JimC
 JimC
(@jimc)
Posts: 86
Estimable Member
Topic starter
 

The problem with bulk read can happen with any operation, not just re-imaging.

I used the example of re-imaging using FTK Imager itself because it is easy to reproduce. The same issue can be found with any other tool that reads the emulated disk. The fact is, the current FTK Imager simply doesn't produce a reliable "virtual" physical disk. This problem wasn't present in the previous versions which worked fine.

I reported the issue to AD in mid-November 2020 and they initially seemed keen to fix it. However, for the last six weeks the silence has been deafening. @auptyk, in the meantime, the physical mount feature doesn't seem fit for purpose.

 

Jim

www.binarymarkup.com

 
Posted : 30/01/2021 7:30 pm
(@boydg1)
Posts: 4
New Member
 

That is excellent research Jim and we appreciate that you have flagged these issues to the digital forensic community.

An excellent alternative that would resolve the issues flagged is the free Mount Tool "VFC Mount" to access and download this free tool visit the website vfc.uk.com

 
Posted : 02/02/2021 4:23 pm
Share: