Difference between pages "Mounting Disk Images" and ".XRY"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (kpartx)
 
 
Line 1: Line 1:
= FreeBSD =
+
{{Infobox_Software |
 +
  name = XRY |
 +
  maintainer = [[Micro Systemation]] |
 +
  os = {{Windows}} |
 +
  genre = {{Mobile forensics}} |
 +
  license = {{Commercial}} |
 +
  website = [http://www.msab.com www.msab.com] |
 +
}}
  
To mount a disk image on [[FreeBSD]]:
+
'''XRY''', pronounced "ex-arr-why", is a forensic system specifically designed for analyzing mobile digital devices written by [[Micro Systemation]]. The software is designed to run on a Windows computer and will retrieve information from mobile phones for immediate display of the results or files can be saved for later analysis. At the time of writing support levels included smartphones, gps units and mobile tablets such as the iPad.
  
First attach the image to unit #1:
+
== Overview ==
  # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
+
XRY comes complete as a package containing both hardware and software to read the device information. XRY currently includes the following hardware in the package; XRY Communications Unit, SIM Card Reader, Clone SIM Cards, Write-Protected Memory Card Reader & Complete set of Cables.
  
Then mount:
+
The hardware is connected to a Windows computer using a USB cable and is capable of displaying immediate results from the device extraction.
  # mount -t msdos /dev/md1s1 /mnt
+
  
  # ls /mnt
+
The software can grab phone book information, SMS and other text messages, call lists, calendar entries, task items, pictures, media files, and SIM card information. XRY also retrieves a lot of information about the phone itself, such as IMEI/ESN, IMSI, model no., matching between the clock in the telephone and the computer, etc. The latest version includes support for some smartphone applications such as Facebook, Myspace, Skype and Gmail.
  BOOTLOG.PRV    BOOTLOG.TXT    COMMAND.COM    IO.SYS          MSDOS.SYS
+
  
To unmount:
+
The system generates an encrypted file called .XRY which contains a copy of all the information retrieved from the phone. The company also licences customers to free issue their XRY Reader application so these secure encrypted files can be read by authorized third parties.
  
  # umount /mnt
+
== Supported devices ==
  # mdconfig -d -u 1
+
The tool supports more than 4,000 different mobile device profiles including [[GSM]], [[UMTS]] and [[CDMA]] phones. SIM cards are supported as well. Smartphones such as Android, BlackBerry, iPhone, Symbian and Windows Mobile are also supported.
  
To mount the image read-only, use:
+
XRY is one of a limited number of mobile forensic products which also offers Physical Extraction capabilities on devices to gain access to potentially more information from a device, including deleted data.
  
  # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 
  # mount -o ro -t msdos /dev/md1s1 /mnt
 
  
= Linux =
+
== XRY Reader ==
 +
XRY creates a report containing the user's own logotype, address, etc. and the basic required information. The generated report can either be printed out, exported in whole or in part, or forwarded electronically with .XRY Reader which is distributed for free. A search function simplifies the task of searching for a particular name/number or some other type of text.
  
==To mount a disk image on [[Linux]]==
+
== External Links ==  
 
+
* [http://www.msab.com/en/mobile-forensic-products/XRY-Mobile-Version-Forensic-Software/ Official web site]
# mount -t vfat -o loop,ro,noexec img.dd /mnt
+
 
+
The '''''ro''''' is for read-only.
+
 
+
This will mount NSRL ISOs:
+
 
+
  # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec
+
 
+
Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.
+
 
+
# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
+
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
+
 
+
===kpartx===
+
 
+
Mounting raw images with multiple partitions is easy with ''kpartx''. Type ''aptitude install kpartx'' as root to install ''kpartx'' under Debian. ''kpartx'' is creating device-mappings for each partition. If the raw image looks like this:
+
 
+
        Device        Boot      Start      End      Blocks Id  System
+
    rawimage.dd1              1          1        8001  83  Linux
+
    rawimage.dd2              2          2        8032+  5  Extended
+
    rawimage.dd5              2          2        8001  83  Linux
+
 
+
The command
+
 
+
#  kpartx -v -a rawimage.dd
+
 
+
creates these mappings
+
 
+
    /dev/mapper/loop0p1
+
    /dev/mapper/loop0p2
+
    /dev/mapper/loop0p5
+
 
+
The partitions can be mounted with these commands:
+
 
+
# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
+
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro
+
 
+
Don't forget the switch '''''-o ro''''' !
+
 
+
==To unmount==
+
 
+
# umount /mnt
+
 
+
== Mounting Images Using Alternate Superblocks ==
+
 
+
* [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks]
+
 
+
[[Category:Howtos]]
+

Revision as of 12:28, 9 May 2011

XRY
Maintainer: Micro Systemation
OS: Windows
Genre: Template:Mobile forensics
License: Commercial
Website: www.msab.com

XRY, pronounced "ex-arr-why", is a forensic system specifically designed for analyzing mobile digital devices written by Micro Systemation. The software is designed to run on a Windows computer and will retrieve information from mobile phones for immediate display of the results or files can be saved for later analysis. At the time of writing support levels included smartphones, gps units and mobile tablets such as the iPad.

Contents

Overview

XRY comes complete as a package containing both hardware and software to read the device information. XRY currently includes the following hardware in the package; XRY Communications Unit, SIM Card Reader, Clone SIM Cards, Write-Protected Memory Card Reader & Complete set of Cables.

The hardware is connected to a Windows computer using a USB cable and is capable of displaying immediate results from the device extraction.

The software can grab phone book information, SMS and other text messages, call lists, calendar entries, task items, pictures, media files, and SIM card information. XRY also retrieves a lot of information about the phone itself, such as IMEI/ESN, IMSI, model no., matching between the clock in the telephone and the computer, etc. The latest version includes support for some smartphone applications such as Facebook, Myspace, Skype and Gmail.

The system generates an encrypted file called .XRY which contains a copy of all the information retrieved from the phone. The company also licences customers to free issue their XRY Reader application so these secure encrypted files can be read by authorized third parties.

Supported devices

The tool supports more than 4,000 different mobile device profiles including GSM, UMTS and CDMA phones. SIM cards are supported as well. Smartphones such as Android, BlackBerry, iPhone, Symbian and Windows Mobile are also supported.

XRY is one of a limited number of mobile forensic products which also offers Physical Extraction capabilities on devices to gain access to potentially more information from a device, including deleted data.


XRY Reader

XRY creates a report containing the user's own logotype, address, etc. and the basic required information. The generated report can either be printed out, exported in whole or in part, or forwarded electronically with .XRY Reader which is distributed for free. A search function simplifies the task of searching for a particular name/number or some other type of text.

External Links