Tuesday, July 19, 2011

Mounting Split Raw Images

A raw image, made with dd or a variant, is still a common image format, and will not go away soon even as many argue the benefits of forensic images such as the Expert Witness Format (supplied through libewf) and the Advanced Forensic Format (supplied through afflib).  But raw images can be difficult to tote around because they are bit for bit copies which makes the copy as large as the original.  As such, the images are often split to fit on external media such as DVD.

But splitting, while solving storage problems, creates a new problem.  What if you want to mount the image for examination?  True, Sleuthkit can handle the examination of split raw images, but sometimes there is no equal to simply mounting an image during an examination.

Let me illustrate using a situation I encountered yesterday.  A colleague had a split raw image of over 200 segments that he wished to mount and then boot in a virtual machine.  He tried to follow my tutorial  but was unsuccessful, uncertain as to why.  When I looked into the situation with him, the issue became clear: xmount, the tool used to create a virtual disk from a disk image, was only mounting the first segment of the split raw image, despite being given all the segments as arguments as is required with Expert Witness Format images.  More simply put, xmount does not handle split raw images.  It will handle a single raw image file just fine, however.

What to do?  One could simply cat the files together, but that means doubling storage requirements, at least until the concatenation operation is concluded.  That might not be feasible or desirable, and it can be very time consuming.  In this case, we were talking 300 GB of data.  It would be great to be able to treat the segments as one file, and pass that file to xmount to accomplish the purpose.

Affuse to the rescue!  Affuse is part of the afflib tool suite.  It creates a virtual file system using fuse and mounts it to a location you specify.  You only pass the first segment of the split image as an argument.  The command takes the form:

# affuse image mount_point

Affuse creates an image.raw file (that is, the name of the segment with '.raw' appended)  in the mount point along with a log file.  Yes, its that easy.

To finish the scenario, xmount can then take the image.raw file as an argument to create the virtual disk, thusly:

# xmount --in dd --out vdi --cache image.cache mount_point/image.raw new_mount_point/

This command tells xmount that the input file, image.raw, is raw data, the output desired is a VirtualBox vdi format, that a cache file called "image.cache" is desired to store system changes when the virtual machine is running.  The .vdi file will be mounted in the "new_mount_point" directory.  If xmount is unfamiliar to you, I recommend you read my previous post.

Like affuse, xmount utilizes the fuse file system.  Both utilities accept fuse file system arguments as well as tool specific arguments, so read only mounting and permissions options exist (type "man fuse" at the command line for more details).  As always, practice on non-case data to become familiar with the tools.

No comments:

Post a Comment

Time Perspective

Telling time in forensic computing can be complicated. User interfaces hide the complexity, usually displaying time stamps in a human reada...