Home > Uncategorized > Virtually reconstruct a split forensic disk image with ‘Poorcase’.

Virtually reconstruct a split forensic disk image with ‘Poorcase’.

I’d previously heard of the Poorcase utility for reconstructing split image files but had never used it. Then one day ahead of an acqusition I accidentally formatted an external USB drive as FAT, booted Helix and after imaging the drive ended up with 28 files – image.001 to image.028 – this due to FAT’s limitation on file size. 

Actually I expected with FAT32’s 4GB limit I should have ended up with a mass of 4GB files but for some reason Helix defaulted to 2GB file sizes. Not sure if it is Helix’s behaviour to default to 2GB file segments regardless of whether the destination drive is FAT16 or FAT32 or I didn’t choose the correct options before acquiring the drive but there you have it. Rather than reimaging I decided to try ‘Poorcase’ to reconstruct the image. 

Directory Listing of split image files.

Poorcase is a Perl script that virtually reconstructs split dd disk images. It only works under the Linux operating system and for my little test I used the lastest Ubuntu 10.04 Lucid Lynx. The Poorcase Perl script worked out of the bag. I didn’t need to install any dependencies. You do however need to ensure you have enough loopback devices configured – one per file ‘segment’. I had 28 files so I needed 28 loopback devices. There’s a sample bash FOR loop in the poorcase documentation that explains how to do this quickly either using MAKEDEV or mknod. In my case I used mknod as follows to create 50 loopback devices: 

# for foo in `seq 0 50`; do mknod /dev/loop$foo b 7 $foo;done

 

Configuring additional loopback devices.

Having configured the additional loop back devices we can now run the Poorcase perl script. The following options are described in the README: 

–build (stitch the image together) 

–name ( name of the resulting image file) 

By default the new image is built in Read Only mode. However it is possible to build in Read Write mode by explicitly adding the ‘-o rw’ switch.

# perl poorcase_1.1.pl –build –name windows-xp-sp0.img /media/NTFS_/windows-xp-sp0.0*

 

Running Poorcase perl script.

The next screenshot shows the script finalising. 

Poorcase perl script completes.

Subsequently three files are created in the /dev/mapper folder as shown in the next screenshot.

Contents of /dev/mapper folder.

I tried mounting the windows-xp-sp0.img file but no luck. I got the error message below.

# mount -o ro /dev/mapper/windows-xp-sp0.img /media/windows
mount: /dev/mapper/windows-xp-sp0.img already mounted or /media/windows busy
#

Error mounting .img file.

After some time fiddling I decided to try and mount the second .img1 file and bingo it seemed to mount ok.  

Successfully mounting .img1 file.

A directory listing of the mount point for the .img1 file showed the Windows image had indeed sccessfully mounted. 

Mounted Windows Image.

There are obviously easier ways to mount split image files but I wanted to understand how Poorcase works. The Poorcase project page is here.

Advertisements
Categories: Uncategorized
  1. David Ball
    June 26, 2010 at 2:55 pm

    … and to remove a previously mapped image:

    root@balldav-laptop:/opt# umount /dev/mapper/windows-xp-sp0.img1

    root@balldav-laptop:/opt# perl poorcase_1.1.pl –destroy –name windows-xp-sp0.img1
    removing device mapper device: ‘windows-xp-sp0.img1’
    root@balldav-laptop:/opt#

  2. December 15, 2010 at 7:30 pm

    Interesting! thank’s
    Denis

  1. December 15, 2010 at 9:19 pm
  2. January 5, 2011 at 6:27 pm
  3. January 7, 2011 at 8:06 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: