Image acquisition and mounting
Image acquisition
The drive to be imaged should be extracted from the system and plugged on an acquisition station through a (ideally) hardware write blocker. Dedicated hardware, such as the TX1 Tableau Forensic Imager
, can also be used to directly make a drive to drive or drive to file (such as a raw
file) copy.
If the disk to image cannot be extracted from the system, a bootable USB drive can be used to boot into a temporary OS (if the BIOS boot order of the target system can be changed). A Linux distribution suitable for forensic imaging should be used, such as the CAINE
distribution (based on Ubuntu
) or Kali Linux in Forensics Mode
. In such distributions all devices are blocked in read-only and auto-mounting is disabled, and a number of forensics tools are installed for acquisition.
From Windows
Windows should only be used as a acquisition platform if the drive to image can be connected through an hardware write-blocker, as Windows will automatically attempt to mount any recognized partitions, potentially altering the data.
The FTK Imager
utility can be used to create a forensic image of a physical drive or logical drive / partition. FTK Imager
can create images in raw, EnCase (E01
), or Advanced Forensics Format (AFF)
formats.
The procedure is as follows:
From Linux
Devices overview
Linux storage devices, such as hard disks or SSDs, are typically block devices represented as files under /dev
. Block devices can be divided into one or more logical disks called partitions. This partitioning is recorded in the partition table, such as MBR
or GPT
, usually found in sector 0 of the disk.
SATA drives
Each drive is represented as /dev/sdx
.
Example of two drives:
/dev/sda
/dev/sdc
Each partition is represented as /dev/sdxN
.
Example of two partitions on the same drive:
/dev/sda1
/dev/sda2
NVMe drives
Each drive is represented as /dev/nvmeXn1
.
Examples:
/dev/nvme0n1
/dev/nvme1n1
Each drive is partition as /dev/nvmeXpX
.
Examples:
/dev/nvme0n1p1
/dev/nvme0n1p2
Optical medias (CD or DVD drives)
/dev/srx
Example of two CD / DVD drives:
/dev/sr0
/dev/sr1
NA
The lsblk
utility can be used to list the block devices present on a system and the fdisk
or gdisk
(for handling of GPT
) utilities to retrieve more information on a specific device and its partitions.
Imaging using dd
dd
is the standard copy utility that, while not forensic oriented, can be used to create image of a device / partition. dd
presents the advantage of being available in most Linux distributions. A more forensics sound utility, such as dc3dd
(presented below), should generally be used if possible.
Imaging using dc3dd
dc3dd
is a more forensic oriented utility, based on dd
, to make disk or partition image. dc3dd
automatically detects bad sectors, natively integrates hashing of the input and output bytes, and integrates logging functionalities, making it more suitable for forensic imaging.
Imaging using Guymager
Guymager
is a GUI forensic imager, that can produce image files in raw, EWF, and AFF formats. Guymager
is multi-threaded for faster collection and integrates hashing calculation.
Image mounting
Following the imaging of a system disk, the image taken must be mounted as a partition for analysis. Numerous tools can be used, from either the Windows or Linux operating systems, to do so. An important aspect of image mounting is the preservation of the artefacts integrity. The image should be mounted in read-only (or temporary write), with a few specificities to preserve timestamps and data integrity.
Some utilities, such as Autoruns
, require writable partitions. To use such utilities, the image should be mounted using an utility supporting temporary writes.
From Windows
The Arsenal Image Mounter
is a powerful graphical utility that can be used to mount multiple image types. It supports temporary write using a diff file that will store the modifications. Arsenal Image Mounter
will automatically mount the different partitions of a given image and implements decryption of BitLocker
protected partition.
Arsenal Image Mounter
supports the following disk image format:
raw
/DD
Multi-parts
raw
EnCase Evidence File (E01)
Advanced Forensics Format (AFF)
VDI
/VMDK
/VHD
Other utilities such as FTK Imager
or OSF Mount
may be used as well.
From Linux
Virtual Machine disks
The guestmount
utility can be used to mount a virtual machine disk (vmdk
, vhdx
, qcow
/ qcow2
, vdi
, etc.) directly:
Alternatively, the qemu-img
utility can be used to convert a virtual machine disk to a raw
image:
Expert Witness/EnCase (EWF) image
The following procedure can be following to mount disk images in the Expert Witness/EnCase (EWF)
format:
Logical Volume Manager image
Logical Volume Manager (LVM)
is a device mapper framework that provides logical volume management (for the Linux kernel) to provide a system of partitions independent of underlying disk layout.
The LVM
feature is composed of the following building blocks:
Physical volume (PV)
: Unix block device node, such as a hard disk, anMBR
orGPT
partition, usable for (physical) storage.Volume group (VG)
: group ofphysical volume(s)
that serves as a container forlogical volume(s)
.Logical volume (LV)
: virtual/logical partition that resides in avolume group
and is composed ofphysical extents
.LV
can be directly formatted with a file system.Physical extent (PE)
: smallest contiguous extent in aphysical volume
that can be assigned to alogical volume
.
Examples:
Physical disks:
/dev/sda1
and/dev/sdb1
.Volume Group:
/dev/MyVolGroup/
=/dev/sda1
+/dev/sdb1
Logical volumes:
/dev/MyVolGroup/rootvol
,/dev/MyVolGroup/homevol
,/dev/MyVolGroup/mediavol
The following commands can be used to mount a LVM
disk image:
Generic / other image types
The image partitions can be first determined using the TSK
's mmls
or fdisk
utilities. The utilities will retrieve the image sector size and the partition(s) offsets, both required to mount the partition.
References
https://www.linuxleo.com/Docs/LinuxLeo_4.95.1.pdf
https://tmairi.github.io/posts/forensic-aquisition-with-dd-tools/
https://www.youtube.com/watch?v=FoEO9p-J15w
Last updated