Forensic Mounting of Disk Images using Ubuntu 20.04
Basic commands, parameters, syntax and scripted disk mounting using ermount.sh
Disk images are commonly used to create back-ups and provide evidence for forensic analysis. If you work in a lab or regularly need access to different disk image from the command line, it can be difficult to remember commands, formats and syntax. Not only that, if you are given an image on an external disk or raw drive, you need to know how to introduce the data into your environment. This is especially important in digital forensics to maintain the integrity of your data. Preferably a write blocker would be used whenever connecting a foreign disk. Also it is advisable to disable disk auto-mount by running the following command.
sudo gsettings set org.gnome.desktop.media-handling automount false
Mounting External Media
After a new disk is attached, and auto-mounting is disabled, the physical disk can be identified from the command line using several commands:
- df -Th | grep “^/dev/sd”
- fdisk -l
- lsblk -f /dev/sd*
- parted -l
- blkid
The first physical disk is listed in the /dev/ directory as “sda” and additional disk are added alphabetically. /dev/sda, /dev/sdb, /dev/sdc and so on. Each partition on each disk will sequentially increment as /dev/sda1, /dev/sda2, /dev/sda3 ……. Depending on the distribution of Linux, optical media such as CD/DVDs can be listed as /dev/scd, /dev/sro or even /dev/cdrom. And for legacy support, floppy disks are defined as /dev/fd0. The main point being, disks are listed as a file in a directory, they are interpreted as a device by the operating system.
File System Types
Once a device is identified, it can be mounted based on the file system specification. The mount command can attempt to auto-detect, but in most cases it is better to specify the file system if known. The commands above, not only list the known devices, but will also detect the file system type. Some common file system types are listed below:
- ntfs
- vfat
- ext3
- ext4
- hfsplus
- iso9660
- udf
The “mount” Command
Once you have identified the file system, a mount command can be made to make the files accessible. A mount point is a directory that will contain file system contents and are commonly created in the /mnt/ and /media/<user>/ directories. For example the mkdir command can be used; (mkdir /mnt/macusb)
mount -t hfsplus -o ro /dev/sdc1 /mnt/macusb
The -t parameter is used to specify the file system type.
-o is used to specify additional mount options. In this example, ro is issued to mount the disk read only. There are a number of mount options which are categorized as “filesystem-independent” and “filesystem-dependent” options. Descriptions for these options can be found in the mount man page.
Partitions and Partition Offsets
The sequence for preparing a new hard disk drive for use is a three step process. The first step is that a partition table must be created to store definitions for disk partition area. A partition table can be one of two types; either MBR or the newer GPT. The partition tables are then used to define data areas on a drive which are better known as disk volumes. The final step is to format each volume based on an operating system specification, such as ntfs or ext4.
When mounting a physical disk using the mount command above, /dev/sdc1 is the partition and /dev/sdc is the disk. The drive geometry can be found using different tools which include fdisk, parted or mmls which is part of the Sleuthkit. In this example, a 16GB thumb drive is plugged in as the third physical disk and contains a single partition that is formatted in macOS legacy format, HFSPlus. The system area of the drive and partition table are located in sectors 0–2047. The HFS+ partition area starts at sector 2048 and is 14.6GB in size. The physical sector size of 512 bytes is the standard size that is set by the manufacturer and in most all disks available today.
Installing Disk Image Mounting Tools
To install a comprehensive set of disk mounting and imaging tools enter the following two commands. This will allow you to perform all the commands in this tutorial and more.
sudo apt-get update
sudo apt-get install ewf-tools afflib-tools qemu-utils libbde-utils libvshadow-utils sleuthkit fusermount xmount -y
Mounting RAW Disk Images
Disk images are raw sector by sector copy a of physical disk or partition whose originally implemented is as a backup file using the “dd” command. Mounting raw disk images is identical to mounting physical disks. In addition, the “file” command can be used to verify the file format and get information about the image.
If an image is created from an entire disk, “fdisk -l” can be used to find the starting sector of the partition and then multiplied by the sector size (512) to calculate the partition offset which is entered as a mount option.
Common Disk Image types:
There are a number of disk image types, the most common types used in forensic analysis are listed below. Over the past years, E01 and RAW images have been a defacto standard for forensic analysis however, there is no real “best approach” when it comes to disk imaging. And, with the ever increasing implementation of virtualization it is necessary to include techniques to quickly mount virtual disk formats for hypervisors like VMWare, KVM and HyperV.
- RAW
- E01
- VHD(X)
- AFF
- qcow2
- vmdk
- vdi
Additionally, EnCase has a newer E01 format (Ex01) and logical disk image formats (Lo1 and Lx01). Logical disks are images that are not sector by sector bit stream images of a disk, but rather, are a copy of the files and directories of a volume. Another extension of the E01 format are files with an S01 extension. A more comprehensive explanation of available file disk image formats can be found here. In fact there is an entire book on the subject.
Mounting Segmented Raw Images
Because disk images are a sector by sector copies of a physical disk, raw disk images can be quite large as they are the same size as the source hard disk. The dd command and other imaging tools allow you to compensate for the large file size by storing the image file in small segments files that have the same base name and are given sequential file extensions (.002, .003, .004 ….). One tool available to mount segmented images is Affuse. Affuse is a tool written to mount image files in the AFF format but is compatible with raw images. AFF concatenates images segments into a single raw file so the disk can then be mounted.
In the example below, the test directory contains a segmented image named af-raw. The following commands are run using sudo to mount the disk:
affuse dd/test/af-raw.001 /mnt/aff
creates the single raw file /mnt/aff/af-raw.001.raw
fdisk -l /mnt/aff/af-raw.001.raw
Show partition information
echo $((2048 * 512))
Calculates the partition offset
mount -t ntfs -o ro,loop,offset=1048576 /tmp/raw/af-raw.001.raw /mnt/mount_dir
Mounts the disk in a directory named mount_dir
Notice the loop option was supplied as an option to the mount command. By running the command:
losetup -j /tmp/raw/af-raw.001.raw
You can see that affuse has assigned a virtual device “/dev/loop20” to the raw image so that it can be mounted
Mounting E01 Images
Expert Witness E01 and S01 files can be mounted in much the same way as AFF and segmented raw images using ewfmount.
ewfmount Morpheus/morpheusP1.E01 /tmp/raw
creates the single raw file /tmp/raw/ewf1
mount -t ntfs -o ro,loop,show_sys_files,streams_interface=windows /tmp/raw/ewf1 /tmp/ermount
Mount qcow2, VHDX, VMDK and VDI images as virtual block devices
Another method for mounting images is using the tool qemu-nbd. Qemu-nbd is part of Qemu/KVM which, if you are not familiar, is an open source extensible hypervisor. Qemu-nbd works much in the same way as ewfmount, except it creates a virtual block device instead of a raw file that can be mounted as a physical disk. The following command is an example of how to mount a vmdk as a block device:
qemu-nbd -r -c /dev/nbd1 vmdk/C-Drive.vmdk
The command yields the available partitions listed as nbd1p1 and nbd1p1 which can then be mounted after the offset is calculated.
mount -t ntfs -o ro,loop,offset=1048576 /dev/nbd1 /tmp/ermount
Commands to unmount, remove the block device and the nbd module:
umount /tmp/ermount
qemu-nbd -d /dev/nbd1
rmmod nbd
Mounting Volume Shadow copies
Volume shadow copies can be mounted on Windows volumes using libvshadow-utils.
To identify locate shadow copies, run the vshadowinfo command.
Once again, mounting volume shadow copies is a two step process. This time running vshadowmount one time to expose the volume shadow copies as a raw file, and then a mount command for each file.
A simple for “while” loop can then be run from the command line to make directories and then mount all volumes.
ls /tmp/vss | while read vsc; do mkdir -p /tmp/shadow/$vsc && mount -t ntfs -o ro,loop,show_sys_files,streams_interface=windows /tmp/vss/$vsc /tmp/shadow/$vsc; done
Mounting Bitlocker encrypted disks
The final example is bitlocker encrypted disks. Bitlocker encryption can be in the form of an image or an image file, but the technique is the same.
To unlock a disk or an image you can supply either the password or the authentication key:
bdemount -p forensics /dev/sdb1 /tmp/bde
bdemount -r ED66209E-D05C-4230-BCAC-ABC9XXXDE27DA/dev/sdb1 /tmp/bde
The the raw file can then be mounted.
mount -t ntfs -o ro,loop,offset=1048576 /tmp/bde/bde1 /tmp/ermount
Scripted Disk Mounting
Instead of trying to commit this all to memory, I have found that it is easier to write a bash script called ermount.sh to do all of these tasks in an automated fashion. The result incorporates all of the techniques listed above. There are other ways to mount a disk from the command line, the script tries to find commonality is the image types and mount disk using slightly similar commands. There is one caveat: images are mounted based on extension. For instance a qcow2 image with an extension of img will try to mount the disk as a raw image and will fail.
The script is located at:
https://github.com/dfir-scripts/EverReady-Disk-Mount
Final word
These mounting tools and others that make it possible access different file image formats have made it much easier to perform forensic analysis in a Linux environment. Thanks to Joachim Metz and others whose efforts have benefited the forensic community greatly.