Mounting Encase Images in Linux

So recently I've been solving some of the Digital Corpora, scenario based Forensic challenges. Image files are created using the commercial tool, EnCase. The tool takes an exact image of the disk and creates a file known as Expert Witness Format or the EnCase Image Format.

These images can be converted, without damaging the original file-system, to 'dd' format and browsed like any other file system in Linux.

For the example below, I am going to use two EnCase image files, used in the M57-Jean Forensic Scenario on the Digital Corpora web site.

This guide explains how to mount an EnCase image using 'xmount' and 'dd'.

$ sudo -s

# apt-get install ewf-tools xmount dd

'cd' to the directory where you have the EnCase image and use 'ewfinfo' to look at the EnCase image details.

# cd Forensic_Challenges

# ewfinfo nps-2008-jean.E01

mac [ ~/Forensic_Challenges ]$ ewfinfo nps-2008-jean.E01

ewfinfo 20100226 (libewf 20100226, libuna 20091031, libbfio 20091114, zlib 1.2.3.4, libcrypto 1.0.0, libuuid)

Acquiry information

Description: Jean's hard drive from the first M57 project

Examiner name: Donny

Evidence number: 2008-M57-Jean

Acquiry date: Mon Jan 31 21:38:29 2011

System date: Mon Jan 31 21:38:29 2011

Operating system used: Darwin

Software version used: 20101104

Password: N/A

EWF information

File format: EnCase 6

Sectors per chunk: 64

Error granularity: 64

Compression type: best compression

GUID: 5005a83f-a4db-a14b-b645-5c55e6b2bec8

Media information

Media type: fixed disk

Is physical: no

Bytes per sector: 512

Amount of sectors: 20971520

Media size: 10 GiB (10737418240 bytes)

Digest hash information

MD5: 78a52b5bac78f4e711607707ac0e3f93

Make a note of the MD5 sum of the image (highlighted above, in red).

Create a location to mount the EnCase image (You can name this directory as you wish, I'm a bit anal with directory names, I forget things easily, so name directories with obvious names).

# mkdir /mnt/temp_image_mount

It's always good to have a look at the man' page for a command before just randomly executing commands into your machine.

# man xmount

xmount(1)                                                      xmount                                                     xmount(1)

NAME

       xmount - Tool to crossmount between multiple input and output harddisk image files

SYNOPSIS

       xmount [[fopts] [mopts]] [ [...]]

DESCRIPTION

       xmount  allows  you  to  convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual

       file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual rep‐

       resentation  can  be  in  raw  DD,  VirtualBox's  virtual disk file format, Microsoft's Virtual Hard Disk Image format or in

       VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format)  or  AFF  (Advanced  Forensic

       Format)  files.  In  addition,  xmount  also supports virtual write access to the output files that is redirected to a cache

       file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VmWare or alike.

OPTIONS

       fopts: (Options specific to FUSE)

         -d: Enable FUSE's and xmount's debug mode.

         -h: Display this help message.

         -s: Run single threaded.

         -o no_allow_other: Disable automatic addition of FUSE's allow_other option.

         -o :

           Specify fuse mount options. Will also disable automatic addition of FUSE's

           allow_other option!

         INFO: For VMDK emulation, you have to uncomment "user_allow_other" in

               /etc/fuse.conf or run xmount as root.

       mopts: (Options specific to xmount)

         --cache :

           Enable virtual write support and set cachefile to use.

         --in :

           Specify input image type. Type can be "dd" or "ewf".

         --info :

           Print out some infos about used compiler and libraries.

         --out :

           Specify output image type. Type can be "dd", "vdi", "vhd", "vmdk(s)".

         --owcache :

           Same as --cache but overwrites existing cache.

         --rw :

           Same as --cache.

         --version :

           Same as --info.

         INFO: Input and output image type defaults to "dd" if not specified.

       ifile:

         Input image file. If you use EWF files, you have to specify all image

         segments! (If your shell supports it, you can use .E?? as file

         extension to specify them files)

       mntp:

         Mount point where virtual files should be located.

BUGS

       Hopefully none. If you find any, please e-mail to .

EXAMPLE

       To xmount an EWF image from your acquired disk as a raw DD image under /mnt, use the following command:

         xmount --in ewf ./acquired_disk.E?? /mnt

So we can see how it works right here ^^, and mount it pretty easily. 'xmount' will be able to mount both E01 and E02 images as one .dd image. To tell it to do this we use '??':

# sudo xmount --in ewf xmount --in ewf nps-2008-jean.E?? /mnt/temp_image_mount

If all worked correctly, you should have created a 'dd' combining the images:

# ls -alth

mac [ /mnt/temp_image_mount ]$ ls -alth

total 4.0K

drwxr-xr-x 5 root root 4.0K May 31 18:28 ..

drwxrwxrwx 2 root root    0 Jan  1  1970 .

-r--r--r-- 1 root root  10G Jan  1  1970 nps-2008-jean.dd

-r--r--r-- 1 root root  334 Jan  1  1970 nps-2008-jean.inf

To ensure we haven't altered the original disk image, we can do a 'md5sum' of the 'dd' image and compare it to the original md5 calculation:

# md5sum nps-2008-jean.dd

mac [ /mnt/temp_image_mount ]$ md5sum nps-2008-jean.dd 

78a52b5bac78f4e711607707ac0e3f93  nps-2008-jean.dd

Compare that MD5 string to that outputted in our original ewfinfo command, and if we have a match, we have a forensically sound, copy of the original image. This means we can analyse the 'dd' image without evr altering the original EnCase image.

To mount this 'dd' image we need a further bit of information and we can get this with the 'fdisk' command:

# fdisk -l nps-2008-jean.dd

mac [ /mnt/temp_image_mount ]$ sudo fdisk -l nps-2008-jean.dd 

Disk nps-2008-jean.dd: 10.7 GB, 10737418240 bytes

255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x39bf39be

Device                       Boot   Start         End              Blocks        Id  System

nps-2008-jean.dd1   *          63             20948759    10474348+   7   HPFS/NTFS/exFAT

So we can see that the volume is in NTFS format and we can see the starting sector. So to mount it with the linux 'mount' command, we need to specify the offset as well as the attribute in which we wish to mount it, we also need to create a directory to mount the dd image. 

# mkdir /mnt/nps-2008-jean

To calculate the offset we need to multiple the starting sector by 512, so in my case:

63 * 512 = 32256

(This assumes 63 sectors per track and 512 bytes per sector).

# mount -t ntfs -o ro,offset=32256 nps-2008-jean.dd /mnt/nps-2008-jean/

If everything worked as it should, you should be able to open your favourite file manager, and browse to /mnt/nps-2008-jean

# caja /mnt/nps-2008-jean/

HTH