Skip to content

Instantly share code, notes, and snippets.

@cutaway

cutaway/Forensic_Tips.md

Last active March 9, 2022 13:05
Show Gist options
  • Save cutaway/435b192d52a448b1213f to your computer and use it in GitHub Desktop.
Save cutaway/435b192d52a448b1213f to your computer and use it in GitHub Desktop.
Download ZIP
Tips and tricks to remember for forensic analysis.
Raw
Forensic_Tips.md

Accessing EXT2/3 Image Files In Windows:

When doing forensics, the challenge usually is how can we access data when there are restrictions to the ways we can access the data. For instance, we have recently acquired a Linux disk formatted using EXT3. The acquired disk is a raw image file that is easily mountable in Linux for review (yes, I'm not talking forensic analysis tools).

mount -o ro,loop /media/USB/<image.dd> /mnt

This command will mount the image read-only and we can do our analysis of the contents. Remember when you are doing a "stat" or "ls" on the file you'll want to use the "-n" option so that it doesn't use the local systems UID mappings and just displays the number associated with that file.

But, what if you have to give that drive to someone so THEY can review the contents? And, what if that person is a Windows-only person? Windows does not have a build in method for mounting raw images let alone understanding EXT3 filesystems. Thus, you have to think "outside-the-box".

First thing I usually do is point someone at AccessData's FTK Imager or FTK Imager Lite. This program will take a raw image and provide read-only access to it. You can traverse the directory tree, review the contents in raw hex or browser view (careful with the later), generate hashs, and export the files.

FKT Imager Download: http://accessdata.com/product-download

The second method is to get a combination of software's to help Windows understand EXT2/3 and then mount the image. Ext2FSD is a program that will provide Windows with the driver to understand how to read EXT2 and EXT3 file formats.

Ext2FSD Project: http://www.ext2fsd.com/
Download Ext2Fsd-0.62.exe (2.8 MB): http://sourceforge.net/projects/ext2fsd/files/

You could use the Ext2Mount from that project if you like command line. But I'm trying to provide access to people with limited command line knowledge. Therefore, mounting the image using OSFMount will provide them the access they need.

OSFMount Project: http://www.osforensics.com/tools/mount-disk-images.html

Be sure to mount read-only and you should be good to go. When successful, you should be able to double-click on the Drive letter assigned to the image and a Explorer window should open to provide read-only access to the files.

Also, this is a great way to virus scan these drives. Remember, if you have AV that automatically checks stuff, you may get alert if it detects anything. If you force a scan of the mounted image, remember to unselect the delete and/or quarantine. Sure it is read-only, but you don't need to take that chance. Also, it'll hit your logs or SIEM, so you might want to let somebody know, or you can use it to test your processes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment