Mounting split raw and Encase segmented files with ‘affuse’.

Following on from the previous blog posting another utility that allows stitching together of raw image files is ‘affuse’ from afflib tools. aff is the advanced forensics format, an open source forensic file system format that supports meta data in the image file. aff also supports compression of forensics images using zlib.

You can download afflib tools from here. afflib tools requires fuse support. If you don’t have fuse installed the configure script will alert you.

$./configure

configure: FUSE requested
checking fuse.h usability… no
checking fuse.h presence… no
checking for fuse.h… no
configure: fuse.h not found; Disabling FUSE support.

For Ubuntu Linux you need to install libfuse-dev to get the necessary fuse header files.

$ sudo apt-get install libfuse-dev

Then running ./configure again will allow you to confirm that fuse support is correctly installed.

configure: FUSE requested
checking fuse.h usability… yes
checking fuse.h presence… yes
checking for fuse.h… yes

Follow with $make and $make install and you should be up and running.

You can then run affuse to combine your split image files.

$ sudo affuse /media/NTFS/windows-xp-sp0.001 /media/fuse
balldav@balldav-laptop:~$

The result is a single file with the same name as the first file segment and with a .raw extension.

$ sudo ls -l /media/fuse
total 0
-r–r–r– 1 root root 59995324416 1970-01-01 08:00 windows-xp-sp0.001.raw
balldav@balldav-laptop:/media$

You will also see the new fuse filesystem mounted.

$ mount | grep affuse
affuse on /media/fuse type fuse.affuse (rw,nosuid,nodev)
balldav@balldav-laptop:/media$

The next step is to mount the new .raw image. Running mmls (TSK) shows the partitions in the image.

# mmls /media/fuse/windows-xp-sp0.001.raw
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta     0000000000   0000000000   0000000001   Primary Table (#0)
01:    —–        0000000000   0000000062   0000000063   Unallocated
02:  00:00   0000000063   0117195119          0117195057         NTFS (0x07)
root@balldav-laptop:~# 

We then run losetup and mount the image on /dev/loop0. We use the ‘-o offset’ to mount the Windows NTFS partition.

[sudo] password for balldav:
root@balldav-laptop:~# losetup -f -o 32256 /media/fuse/windows-xp-sp0.001.raw
root@balldav-laptop:~# losetup -a
/dev/loop0: [0016]:2 (/media/fuse/windows-xp-sp0.001.raw), offset 32256
root@balldav-laptop:~#

Note: The offset of 32256 is the sector/block size of 512k multiplied by the starting sector of the partition you want to access. In this case it’s a Windows partition starting at sector 63 offset 32256 (63 x 512). Using the offset function means not having to carve out individual partitions from the disk image.

The ‘file’ command confirms the file type.

root@balldav-laptop:~# file -s /dev/loop0
/dev/loop0: x86 boot sector, code offset 0x52, OEM-ID “NTFS    “, sectors/cluster 8, reserved sectors 0, Media descriptor 0xf8, heads 240, hidden sectors 63, dos < 4.0 BootSector (0x80)
root@balldav-laptop:~#

You can then mount the image.

root@balldav-laptop:~# mount /dev/loop0 /media/windowsimage

If you are exclusively working with split raw image files and Sleuthkit then be aware that many of the sleuthkit tools can be run against split raw image files without needing to stitch the image together. Use the ‘-i split’ option to achieve this. fls, ils, mmls and fsstat all support the ‘split’ switch.

root@balldav-laptop:~# fls -i list
Supported image format types:
 raw (Single raw file (dd))
 ewf (Expert Witness format (encase))
 split (Split raw files)
root@balldav-laptop:~#

For example to run fls against our split Windows image file you would do the following:

root@balldav-laptop:~# fls -i split -o 63 -f ntfs /media/NTFS/windows-xp-sp0.0*
r/r 4-128-4: $AttrDef
r/r 8-128-3: $BadClus
r/r 8-128-4: $BadClus:$Bad
r/r 6-128-4: $Bitmap
r/r 7-128-3: $Boot
d/d 11-144-4: $Extend
r/r 2-128-3: $LogFile
r/r 0-128-3: $MFT
r/r 1-128-3: $MFTMirr
r/r 9-144-35: $Secure:$SDH
r/r 9-144-32: $Secure:$SII
r/r 9-128-0: $Secure:$SDS
r/r 10-128-3: $UpCase
r/r 3-128-5: $Volume
r/r 109979-128-4: .rnd
r/r 9672-128-17: boot.ini

[snip]

r/r * 2-128-3(realloc): ~GLHTTP1.TMP
r/r * 2-128-3(realloc): _NavCClt.Log
-/r * 17-128-3: bootex.log
-/r * 18-128-3: bootex.log
d/d 128819: $OrphanFiles
root@balldav-laptop:~#

Affuse also supports mounting an Encase set of E0* files as a raw image allowing you to run Sleuthkit tools against the resulting image. This is done as follows.

root@balldav-laptop:~# affuse /media/encase/encase_image.E01 /media/fuse
root@balldav-laptop:~#

root@balldav:~# ls -l /media/fuse
total 0
-r–r–r– 1 root root 1572751482 1970-01-01 08:00 encase_image.E01.raw
root@balldav-laptop:~#

root@balldav-laptop:~# losetup -f -o 32256 /media/fuse/encase_image.E01.raw
root@balldav-laptop:/# losetup -a
/dev/loop0: [0016]:2 (/media/fuse/encase_image.E01.raw), offset 32256
root@balldav-laptop:~#

Then mount the image exactly as above.

Virtually reconstruct a split forensic disk image with ‘Poorcase’.

I’d previously heard of the Poorcase utility for reconstructing split image files but had never used it. Then one day ahead of an acqusition I accidentally formatted an external USB drive as FAT, booted Helix and after imaging the drive ended up with 28 files – image.001 to image.028 – this due to FAT’s limitation on file size. 

Actually I expected with FAT32’s 4GB limit I should have ended up with a mass of 4GB files but for some reason Helix defaulted to 2GB file sizes. Not sure if it is Helix’s behaviour to default to 2GB file segments regardless of whether the destination drive is FAT16 or FAT32 or I didn’t choose the correct options before acquiring the drive but there you have it. Rather than reimaging I decided to try ‘Poorcase’ to reconstruct the image. 

Directory Listing of split image files.

Poorcase is a Perl script that virtually reconstructs split dd disk images. It only works under the Linux operating system and for my little test I used the lastest Ubuntu 10.04 Lucid Lynx. The Poorcase Perl script worked out of the bag. I didn’t need to install any dependencies. You do however need to ensure you have enough loopback devices configured – one per file ‘segment’. I had 28 files so I needed 28 loopback devices. There’s a sample bash FOR loop in the poorcase documentation that explains how to do this quickly either using MAKEDEV or mknod. In my case I used mknod as follows to create 50 loopback devices: 

# for foo in `seq 0 50`; do mknod /dev/loop$foo b 7 $foo;done

 

Configuring additional loopback devices.

Having configured the additional loop back devices we can now run the Poorcase perl script. The following options are described in the README: 

–build (stitch the image together) 

–name ( name of the resulting image file) 

By default the new image is built in Read Only mode. However it is possible to build in Read Write mode by explicitly adding the ‘-o rw’ switch.

# perl poorcase_1.1.pl –build –name windows-xp-sp0.img /media/NTFS_/windows-xp-sp0.0*

 

Running Poorcase perl script.

The next screenshot shows the script finalising. 

Poorcase perl script completes.

Subsequently three files are created in the /dev/mapper folder as shown in the next screenshot.

Contents of /dev/mapper folder.

I tried mounting the windows-xp-sp0.img file but no luck. I got the error message below.

# mount -o ro /dev/mapper/windows-xp-sp0.img /media/windows
mount: /dev/mapper/windows-xp-sp0.img already mounted or /media/windows busy
#

Error mounting .img file.

After some time fiddling I decided to try and mount the second .img1 file and bingo it seemed to mount ok.  

Successfully mounting .img1 file.

A directory listing of the mount point for the .img1 file showed the Windows image had indeed sccessfully mounted. 

Mounted Windows Image.

There are obviously easier ways to mount split image files but I wanted to understand how Poorcase works. The Poorcase project page is here.