A while ago, I posted on mounting DD images, and I wanted to provide an updated list of some of the tools that you can use to do just that on a Windows systems.
When would you need to use such tools? I like to use tools such as these as in most cases, you can do your analysis whilst goin' commando (sans dongle, as it were), and in many cases, do a great deal more deep analysis than you could using one of the commercial forensic analysis suites. In most cases, it's as simple as mounting the image and using your tools, many of which are CLI and can be run via a batch file. Mounting the image gives you access to most (be cognizant of permissions issues) of the files in the file system without that system being live and without requiring a password to log into the system (as with LiveView), simply because you're not actually booting the system, you're just reading the file structure.
I won't got into any particular detail about these tools, as I want to simply provide them here as a means of identifying those that are available.
VDKWin (free) - Excellent UI for VDK.
ImDisk (free) - installs as a Control Panel applet
SMARTMount (pay) - Andy Rosen's superb mounting utility; requires a dongle, mounts raw, SMART, EWF, SAW, VMWare virtual disk format images, and detects a wide variety of file systems.
P2Explorer (free, requires registration) - Lots of cool features, mounts a variety of formats.
Captain Nemo (pay) - Mounts raw and RAID Reconstructor images from Linux, MS, and Novell systems.
Other similar tools that may be of use:
MKS Software's mount utility
MS's Virtual CD-ROM drive from XP (1, 2, 3)
Mounting ISO images on Vista/Win7
WinCDEmu - mount ISO images
For those of you doing live response, the guys over at CommandLineKungFu posted a great blog on determining information about mounted drives and shares. Some of the tools I've written and provided on the DVD that accompanies WFA 2/e implements similar functionality as the wmic commands that Ed posted, but in most cases going just a bit further.
Another solution is to use the SIFT workstation. Both free and extremely easy to use.
ReplyDeleteThe problem with many of the tools above is that they still respect the Windows security permissions. For example, with ImDisk try exploring "System Volume Information" via explorer. Will not let you into the folder even though you can see it. I have run tools against files in an IMDisk that is mounted. They failed too. Skype Parser for one.
Honestly, one of the best ways to view a disk is using F-Response. (Not free)
Also, while the capability to mount exists, how many of these provide a 100% read-only solution that has been tested?
Anyway, earlier this year, I demonstrated one of the best and free solutions to provide a read-only mount. Not the only solution, but one I use regularly in my casework.
https://blogs.sans.org/computer-forensics/2009/02/19/digital-forensic-sifting-how-to-perform-a-read-only-mount-of-evidence/
Rob,
ReplyDeleteYou're correct about the issue of permissions. You can get around this by running CLI tools in a command prompt launched via psexec -s cmd.exe or a GUI tool launched via a Scheduled Task. Another way around this...and this is what I recommend when using ripXP is to use FTK Imager to extract the RP* directories themselves (as opposed to the SVI dir and all subdirs) out of the image...
>You can get around this by
ReplyDelete>running CLI tools in a command
>prompt launched via psexec -s
>cmd.exe or a GUI tool launched
>via a Scheduled Task.
I've tried launching the command prompt as System with psexec to take ownership or change premissions of an MIP 2 mounted image (XP/Vista) on a Vista Ultimate SP2 host. No joy. I also tried to run my AV from the command prompt in conjunction with the former steps, so that I could scan the SVI tree. That didn't work, either. Maybe I was proceeding incorrectly; it's been a while, and if you have the correct syntax or steps, sharing is appreciated. I've found, however, that I've been able to edit permissions on the SVI tree using MIP 3.
I think that some folks overlook this issue when they AV scan a mounted image. If nothing else, you won't get it scanned until you gain access.
Another solution may be VMWare's free mounting application (vmware-mount)that's included with the disk developers kit. It's not a RO tool, but one needs a RW tool when working with virtualized images. Running on my Vista host, I've been able to grant permission to the local Admin on the SVI tree. VMware's native disk mounting feature has consistently failed to mount Vista VMs that I've created from images.
Jimmy,
ReplyDeleteFirst, changing anything in the mounted image (take ownership, change permissions, etc.) may be prevented by MIP (and other tools) setting the access to read-only.
As to the other issues, there may be something in the AV config, unless you're specifically getting error messages about not being able to access the SVI directory. If that's the case, I'd suggest using something like FTK Imager to extract the contents of the SVI dir from the image.
Running on my Vista host, I've been able to grant permission to the local Admin on the SVI tree.
Okay, that sort of goes along with what I was saying earlier about the tools mounting the image read-only.
Thanks, Harlan. I mentioned above that I have been able to change permissions on a mounted, RO image using MIP 3. It obviously caches the changes as the image file remains unaltered. The vmware-mount image is RW, where that functionality is okay.
ReplyDelete