Difference between pages "Mounting Disk Images" and "File Carving"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Free Tools)
 
m
 
Line 1: Line 1:
= FreeBSD =
+
'''Carving''' is the practice of searching an input for files based on the input's content.  Most often the input is a [[disk image]], but it's possible (and sometimes practical) to carve individual files or [[physical memory]].
  
To mount a disk image on [[FreeBSD]]:
+
=File Carving=
  
First attach the image to unit #1:
+
Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. [[Semantic Carving]] performs carving based on an analysis of the contents of the proposed files.  
  # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
+
  
Then mount:
+
File carving tools are listed on the [[Tools:Data_Recovery]] wiki page.
  # mount -t msdos /dev/md1s1 /mnt
+
  
  # ls /mnt
+
Many carving programs have an option to only look at or near sector boundaries where headers are found. Searching the entire input can find files that have been embedded into other files, such as [[JPEG]]s being embedded into [[Microsoft]] [[DOC|Word documents]].
  BOOTLOG.PRV    BOOTLOG.TXT    COMMAND.COM    IO.SYS          MSDOS.SYS
+
  
To unmount:
+
DFRWS2006 featured a [http://www.dfrws.org/2006/challenge/index.html file carving challenge]. As a condition of entering the challenge, all tools and techniques developed to solve the challenge had to be open sourced.
  
  # umount /mnt
+
=Memory Carving=
  # mdconfig -d -u 1
+
 
+
To mount the image read-only, use:
+
 
+
  # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
+
  # mount -o ro -t msdos /dev/md1s1 /mnt
+
 
+
= Linux =
+
 
+
==To mount a disk image on [[Linux]]==
+
 
+
# mount -t vfat -o loop,ro,noexec img.dd /mnt
+
 
+
The '''''ro''''' is for read-only.
+
 
+
This will mount NSRL ISOs:
+
 
+
  # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec
+
 
+
Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.
+
 
+
# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
+
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
+
 
+
===kpartx===
+
 
+
Mounting raw images with multiple partitions is easy with ''kpartx''. Type ''aptitude install kpartx'' as root to install ''kpartx'' under Debian. ''kpartx'' is creating device-mappings for each partition. If the raw image looks like this:
+
 
+
        Device        Boot      Start      End      Blocks Id  System
+
    rawimage.dd1              1          1        8001  83  Linux
+
    rawimage.dd2              2          2        8032+  5  Extended
+
    rawimage.dd5              2          2        8001  83  Linux
+
 
+
The command
+
 
+
#  kpartx -v -a rawimage.dd
+
 
+
creates these mappings
+
 
+
    /dev/mapper/loop0p1
+
    /dev/mapper/loop0p2
+
    /dev/mapper/loop0p5
+
 
+
The partitions can be mounted with these commands:
+
 
+
# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
+
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro
+
 
+
Don't forget the switch '''''-o ro''''' !
+
 
+
==To unmount==
+
 
+
# umount /mnt
+
 
+
== Mounting Images Using Alternate Superblocks ==
+
 
+
* [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks]
+
 
+
= Windows =
+
 
+
MS Windows does not include a native means for mounting acquired images.  However, there are tools available for mounting acquired images on Windows systems.
+
 
+
== Free Tools ==
+
 
+
* [http://accessdata.com/support/adownloads#FTKImager FTK Imager v.3.0]
+
* [http://www.ltr-data.se/opencode.html#ImDisk ImDisk] - also on [http://en.wikipedia.org/wiki/ImDisk WikiPedia]
+
* Paraben's [http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=268 P2 Explorer]
+
* [http://www.vmxbuilder.com/vdk-gui/ VDKWin], requires [http://chitchat.at.infoseek.co.jp/vmware/vdk.html VDK]
+
 
+
== Commercial Tools ==
+
 
+
* [http://www.asrdata.com/SmartMount/ SmartMount]
+
* [http://www.mountimage.com/ Mount Image Pro] - has a 14-day trial version
+
 
+
[[Category:Howtos]]
+

Revision as of 15:44, 29 December 2006

Carving is the practice of searching an input for files based on the input's content. Most often the input is a disk image, but it's possible (and sometimes practical) to carve individual files or physical memory.

File Carving

Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. Semantic Carving performs carving based on an analysis of the contents of the proposed files.

File carving tools are listed on the Tools:Data_Recovery wiki page.

Many carving programs have an option to only look at or near sector boundaries where headers are found. Searching the entire input can find files that have been embedded into other files, such as JPEGs being embedded into Microsoft Word documents.

DFRWS2006 featured a file carving challenge. As a condition of entering the challenge, all tools and techniques developed to solve the challenge had to be open sourced.

Memory Carving