tag:blogger.com,1999:blog-9518042.post7018243963621480419..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Tools for mounting imagesUnknownnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-9518042.post-32175407836197640002009-09-08T17:57:13.011-05:002009-09-08T17:57:13.011-05:00Thanks, Harlan. I mentioned above that I have bee...Thanks, Harlan. I mentioned above that I have been able to change permissions on a mounted, RO image using MIP 3. It obviously caches the changes as the image file remains unaltered. The vmware-mount image is RW, where that functionality is okay.Jimmy_Wegnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-68593739722096329122009-09-08T14:34:04.754-05:002009-09-08T14:34:04.754-05:00Jimmy,
First, changing anything in the mounted im...Jimmy,<br /><br />First, changing anything in the mounted image (take ownership, change permissions, etc.) may be prevented by MIP (and other tools) setting the access to read-only.<br /><br />As to the other issues, there may be something in the AV config, unless you're specifically getting error messages about not being able to access the SVI directory. If that's the case, I'd suggest using something like FTK Imager to extract the contents of the SVI dir from the image.<br /><br /><i>Running on my Vista host, I've been able to grant permission to the local Admin on the SVI tree.</i><br /><br />Okay, that sort of goes along with what I was saying earlier about the tools mounting the image read-only.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-31495911806338316342009-09-08T14:25:18.917-05:002009-09-08T14:25:18.917-05:00>You can get around this by
>running CLI to...>You can get around this by <br />>running CLI tools in a command <br />>prompt launched via psexec -s <br />>cmd.exe or a GUI tool launched <br />>via a Scheduled Task.<br /><br />I've tried launching the command prompt as System with psexec to take ownership or change premissions of an MIP 2 mounted image (XP/Vista) on a Vista Ultimate SP2 host. No joy. I also tried to run my AV from the command prompt in conjunction with the former steps, so that I could scan the SVI tree. That didn't work, either. Maybe I was proceeding incorrectly; it's been a while, and if you have the correct syntax or steps, sharing is appreciated. I've found, however, that I've been able to edit permissions on the SVI tree using MIP 3. <br /><br />I think that some folks overlook this issue when they AV scan a mounted image. If nothing else, you won't get it scanned until you gain access. <br /><br />Another solution may be VMWare's free mounting application (vmware-mount)that's included with the disk developers kit. It's not a RO tool, but one needs a RW tool when working with virtualized images. Running on my Vista host, I've been able to grant permission to the local Admin on the SVI tree. VMware's native disk mounting feature has consistently failed to mount Vista VMs that I've created from images.Jimmy_Wegnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-8647018425932593752009-09-08T12:32:16.590-05:002009-09-08T12:32:16.590-05:00Rob,
You're correct about the issue of permis...Rob,<br /><br />You're correct about the issue of permissions. You can get around this by running CLI tools in a command prompt launched via <i>psexec -s cmd.exe</i> or a GUI tool launched via a Scheduled Task. Another way around this...and this is what I recommend when using <a href="http://windowsir.blogspot.com/2009/07/ripxp-released.html" rel="nofollow">ripXP</a> is to use FTK Imager to extract the RP* directories themselves (as opposed to the SVI dir and all subdirs) out of the image...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-32120287318121015282009-09-08T11:49:39.158-05:002009-09-08T11:49:39.158-05:00Another solution is to use the SIFT workstation. ...Another solution is to use the SIFT workstation. Both free and extremely easy to use.<br /><br />The problem with many of the tools above is that they still respect the Windows security permissions. For example, with ImDisk try exploring "System Volume Information" via explorer. Will not let you into the folder even though you can see it. I have run tools against files in an IMDisk that is mounted. They failed too. Skype Parser for one. <br /><br />Honestly, one of the best ways to view a disk is using F-Response. (Not free)<br /><br />Also, while the capability to mount exists, how many of these provide a 100% read-only solution that has been tested?<br /><br />Anyway, earlier this year, I demonstrated one of the best and free solutions to provide a read-only mount. Not the only solution, but one I use regularly in my casework.<br /><br />https://blogs.sans.org/computer-forensics/2009/02/19/digital-forensic-sifting-how-to-perform-a-read-only-mount-of-evidence/Rob Leehttps://www.blogger.com/profile/06831677721936003773noreply@blogger.com