SANS Digital Forensics and Incident Response Blog

Digital Forensic SIFTing: How to perform a read-only mount of filesystem evidence

by Rob Lee

Over the years, there has been a clear need for some digital forensic toolsets that will accomplish basic goals. The first of those goals is creating an environment friendly to analyzing acquired file system images.

The SIFT workstation was created as a part of the SANS Computer Forensics, Investigation, and Response course which is also known as SEC508. With the launch of the community website at http:\forensics.sans.org it is useful to go through some basic architecture of how the SIFT Workstation actually can be useful for you.

The blog series "SIFT'ing" will show to utilize the workstation using a series of exercises. Today we will discuss how to use the SIFT workstation to mount and examine a Windows NTFS image.

The SIFT already should be able to be seen from the Windows machine you have it installed on. The SIFT workstation, by default, is in VMware HOST ONLY mode, but you can modify that in the VMware Machine Settings.

1. Find your SIFT Workstation IP Address

Find out the IP Address of your machine by running ifconfig:

ifconfigObtain the IP Address of your SIFT Workstation using ifconfig

2. Browse to your SIFT Workstation from Windows

start-run

sift-sharesYou can now see your shares on your SIFT Workstation

We will now mount an NTFS filesystem in read-only mode on the SIFT workstation and examine the files from our Windows machine.

3. Mount NTFS in Read-Only Mode in the SIFT Workstation

I use the notation YYYYMMDD as my case name in many cases. I label evidence usually the same way, but with th evidence tag as an additional two numbers at the end. For example 20090204 is the case name and the first piece of evidence would be 20090204-01 for my records.

I put all evidence in the evidence locker in the /images directory. Usually, evidence I am actually analyzing will be "working copies" and not "best or original evidence." I use the /mnt/hack directory as the location where I mount my partitions.

ro= READ ONLY

loop= Use Loopback device

show_sys_files= Show NTFS Metadata files

mountMounting your "working copy" of the evidence in read-only modemounted-filesystemYou can see the mounted image file via your Windows machine in Read-Only Mode

You can now see the mounted filesystem from Windows if you browse to the \192.168.2.2\hack\windows_mount directory. This is in read-only mode so you cannot change the data of the files. In addition, you can also see the NTFS metadata files.

virus-scan1Using a virus scanner is always a good first step once you have your evidence mounted in read-only mode

Many usually map a network drive, such as Z: to the mounted read-only file system so any windows tool can easily parse data from the mounted partition.

4.0 Start Analyzing Using Either Linux Based of Windows Based tools:

From here I always recommend that one of the first steps would be to scan the read-only file system using a virus scanner or two. Here is a screen shot of performing a virus scan against the read-only file system.

Mounting raw images is fairly simple using the SIFT Workstation. The next time we visit mounting images, we will discuss how to mount either AFF (Advanced Forensic Format) or EWF (Expert Witness) image files. However, if you cannot wait that long, I have a webcast called "Imagine This!" that discusses the basics of handling different image formats posted now over at http://forensics.sans.org

If you have any questions or have trouble getting this to work on your case, please email me at rlee@sans.org. Sign up for my NEW class SEC408 Computer Forensic and E-Discovery Essentials debuting at SANSFIRE 2009.

———————————————————————————————————————————————-

Rob Lee is a Principal Consultant for MANDIANT, a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. Government. Rob has over 13 years experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the lead course author and faculty fellow for the computer forensic courses at the SANS Institute.

9 Comments

Posted June 10, 2010 at 9:58 PM | Permalink | Reply

Michael Loftis

You can't trust Linux filesystem drivers to actually be truely RO on journalled filesystems. XFS for one always does recovery on a dirty mount. Ext3 w/ a Journal will usually too. Unless newer kernels behave better when asked to mount w/ -o ro.

Posted July 20, 2010 at 8:41 PM | Permalink | Reply

Noah Spurrier

You should operate on a copy of the filesystem. You can image a drive or partition without mounting it (in fact you shouldn't image a mounted partition). Use md5sum or some other checksum to allow later verification that the data is untouched.
In some circumstances you may want to perform forensic analysis on an unclean filesystem before and after journal the journal recovery. Important data may be in the journal log which may not be easy to interpret until the journal is applied. Likewise, important data may be lost if the journal is applied. So always work with image copies.
I wonder if it can be show that converting a raw image to qcow2 format is perfectly reversible. That is, does "RAW1''">QCOW2''">RAW2" give the same md5sum for RAW1 and RAW2? If so, then working with qcow2 base image and snapshots will allow you to more quickly examine the filesystem in different conditions. You save the cost of making a fresh copy before each test.

Posted July 28, 2010 at 6:21 AM | Permalink | Reply

Colin

Hi Rob,
Sorry to ask, I feel like such a n00b!
I'm stuck on a Windows 7 image. The "show_sys_files" doesn't seem to work so there are missing folders when mounting the file system. I know they are there, as I have used a Windows tool to mount the file system and it shows the folder but "0 bytes" and hidden. I obviously do not want to take ownership and modify the image.
Easy fix?

Posted November 5, 2010 at 8:46 PM | Permalink | Reply

Dave Hull

Greg ''" This post is about how to use SIFT, the SANS Investigative Forensic Toolkit in combination with Windows as a means of bringing both Linux utilities that ship with SIFT and Windows forensic utilities on a hard disk drive image that you've already collected as evidence.
If you're running SIFT on Windows in a VMWare Virtual Machine, you'll be able to access the evidence that you have mounted on the SIFT workstation from the Windows host OS via SMB, which is configured on SIFT out of the box.
The post assumes you've already made an image of the HDD for the system you're wanting to investigate and that you'll be mounting that image on the SIFT virtual machine.

Posted November 5, 2010 at 9:15 PM | Permalink | Reply

robtlee

I do think Greg brings up a good point though that we ought to put "prereqs" on the page to describe what you need before we begin. Thanks Greg.

Posted November 30, 2010 at 3:03 AM | Permalink | Reply

Kim Nilsson

Hello
The image of the "Mounted filesystem" is missing. There is only a blank placeholder.
/Kim

Posted November 30, 2010 at 7:28 PM | Permalink | Reply

Dave Hull

Thanks for pointing this out. We're working on a fix.

Posted January 29, 2013 at 9:26 AM | Permalink | Reply

nader

i have an image unlocated space how i can mount it from external hard disk , since i have it as dd image

Posted February 20, 2013 at 11:11 PM | Permalink | Reply

B!n@ry

Hello,
Just want to note that if you're using SIFT within Virtualbox (maybe vmware too), and you insert a USB, it will be automounted by default. Checked using the sansforensics user.
A quick fix:
gconftool-2 ''"type bool ''"set /apps/nautilus/preferences/media_automount false
gconftool-2 ''"type bool ''"set /apps/nautilus/preferences/media_automount_open false
gconftool-2 ''"type bool ''"set /apps/nautilus/preferences/media_automount_never false
now we can mount the drive as mentioned in this post.
regards,