Home > Uncategorized > Mounting split raw and Encase segmented files with ‘affuse’.

Mounting split raw and Encase segmented files with ‘affuse’.

Following on from the previous blog posting another utility that allows stitching together of raw image files is ‘affuse’ from afflib tools. aff is the advanced forensics format, an open source forensic file system format that supports meta data in the image file. aff also supports compression of forensics images using zlib.

You can download afflib tools from here. afflib tools requires fuse support. If you don’t have fuse installed the configure script will alert you.

$./configure

configure: FUSE requested
checking fuse.h usability… no
checking fuse.h presence… no
checking for fuse.h… no
configure: fuse.h not found; Disabling FUSE support.

For Ubuntu Linux you need to install libfuse-dev to get the necessary fuse header files.

$ sudo apt-get install libfuse-dev

Then running ./configure again will allow you to confirm that fuse support is correctly installed.

configure: FUSE requested
checking fuse.h usability… yes
checking fuse.h presence… yes
checking for fuse.h… yes

Follow with $make and $make install and you should be up and running.

You can then run affuse to combine your split image files.

$ sudo affuse /media/NTFS/windows-xp-sp0.001 /media/fuse
balldav@balldav-laptop:~$

The result is a single file with the same name as the first file segment and with a .raw extension.

$ sudo ls -l /media/fuse
total 0
-r–r–r– 1 root root 59995324416 1970-01-01 08:00 windows-xp-sp0.001.raw
balldav@balldav-laptop:/media$

You will also see the new fuse filesystem mounted.

$ mount | grep affuse
affuse on /media/fuse type fuse.affuse (rw,nosuid,nodev)
balldav@balldav-laptop:/media$

The next step is to mount the new .raw image. Running mmls (TSK) shows the partitions in the image.

# mmls /media/fuse/windows-xp-sp0.001.raw
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta     0000000000   0000000000   0000000001   Primary Table (#0)
01:    —–        0000000000   0000000062   0000000063   Unallocated
02:  00:00   0000000063   0117195119          0117195057         NTFS (0x07)
root@balldav-laptop:~# 

We then run losetup and mount the image on /dev/loop0. We use the ‘-o offset’ to mount the Windows NTFS partition.

[sudo] password for balldav:
root@balldav-laptop:~# losetup -f -o 32256 /media/fuse/windows-xp-sp0.001.raw
root@balldav-laptop:~# losetup -a
/dev/loop0: [0016]:2 (/media/fuse/windows-xp-sp0.001.raw), offset 32256
root@balldav-laptop:~#

Note: The offset of 32256 is the sector/block size of 512k multiplied by the starting sector of the partition you want to access. In this case it’s a Windows partition starting at sector 63 offset 32256 (63 x 512). Using the offset function means not having to carve out individual partitions from the disk image.

The ‘file’ command confirms the file type.

root@balldav-laptop:~# file -s /dev/loop0
/dev/loop0: x86 boot sector, code offset 0x52, OEM-ID “NTFS    “, sectors/cluster 8, reserved sectors 0, Media descriptor 0xf8, heads 240, hidden sectors 63, dos < 4.0 BootSector (0x80)
root@balldav-laptop:~#

You can then mount the image.

root@balldav-laptop:~# mount /dev/loop0 /media/windowsimage

If you are exclusively working with split raw image files and Sleuthkit then be aware that many of the sleuthkit tools can be run against split raw image files without needing to stitch the image together. Use the ‘-i split’ option to achieve this. fls, ils, mmls and fsstat all support the ‘split’ switch.

root@balldav-laptop:~# fls -i list
Supported image format types:
 raw (Single raw file (dd))
 ewf (Expert Witness format (encase))
 split (Split raw files)
root@balldav-laptop:~#

For example to run fls against our split Windows image file you would do the following:

root@balldav-laptop:~# fls -i split -o 63 -f ntfs /media/NTFS/windows-xp-sp0.0*
r/r 4-128-4: $AttrDef
r/r 8-128-3: $BadClus
r/r 8-128-4: $BadClus:$Bad
r/r 6-128-4: $Bitmap
r/r 7-128-3: $Boot
d/d 11-144-4: $Extend
r/r 2-128-3: $LogFile
r/r 0-128-3: $MFT
r/r 1-128-3: $MFTMirr
r/r 9-144-35: $Secure:$SDH
r/r 9-144-32: $Secure:$SII
r/r 9-128-0: $Secure:$SDS
r/r 10-128-3: $UpCase
r/r 3-128-5: $Volume
r/r 109979-128-4: .rnd
r/r 9672-128-17: boot.ini

[snip]

r/r * 2-128-3(realloc): ~GLHTTP1.TMP
r/r * 2-128-3(realloc): _NavCClt.Log
-/r * 17-128-3: bootex.log
-/r * 18-128-3: bootex.log
d/d 128819: $OrphanFiles
root@balldav-laptop:~#

Affuse also supports mounting an Encase set of E0* files as a raw image allowing you to run Sleuthkit tools against the resulting image. This is done as follows.

root@balldav-laptop:~# affuse /media/encase/encase_image.E01 /media/fuse
root@balldav-laptop:~#

root@balldav:~# ls -l /media/fuse
total 0
-r–r–r– 1 root root 1572751482 1970-01-01 08:00 encase_image.E01.raw
root@balldav-laptop:~#

root@balldav-laptop:~# losetup -f -o 32256 /media/fuse/encase_image.E01.raw
root@balldav-laptop:/# losetup -a
/dev/loop0: [0016]:2 (/media/fuse/encase_image.E01.raw), offset 32256
root@balldav-laptop:~#

Then mount the image exactly as above.

Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: