A place where evidence handling shines on Linux is the ability to safely mount full disk images using loopback devices. This post will explain how to simply mount the different partitions within a read-only image and then access different Virtual Shadow Copies (VSS) for NTFS partitions.
Test case: A 120GB full disk image
Over the course of a forensic analysis we found a 120GB raw image of a full disk. The file command states that it contains three partitions
$ file image.raw image.raw: DOS/MBR boot sector MS-MBR Vista english at offset 0x162 "Invalid partition table" at offset 0x17a "Error loading operating system" at offset 0x199 "Missing operating system", disk signature 0x19f8f2fb; partition 1 : ID=0xde, start-CHS (0x0,1,1), end-CHS (0x4,254,63), startsector 63, 80262 sectors; partition 2 : ID=0x7, active, start-CHS (0x5,0,1), end-CHS (0x64,254,63), startsector 80325, 1542240 sectors; partition 3 : ID=0x7, start-CHS (0x65,0,1), end-CHS (0x3ff,254,63), startsector 1622565, 248445225 sectors
In linux we can run fdisk directly on the image with the “-l” option in order to list the partition table in order to verify.
root@autopsy:/Evidence# fdisk -l image.raw
Disk image.raw: 120 GiB, 128849018880 bytes, 251658240 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x19f8f2fb
Device Boot Start End Sectors Size Id Type
image.raw1 63 80324 80262 39.2M de Dell Utility
image.raw2 * 80325 1622564 1542240 753M 7 HPFS/NTFS/exFAT
image.raw3 1622565 250067789 248445225 118.5G 7 HPFS/NTFS/exFAT
This is a typical Dell laptop drive image with three partitions: Dell Utility (with type de), Dell recovery and the user partition. So far so good.
Lets make sure the partition image is read-only.
root@autopsy:/Evidence# chmod 400 image.raw root@autopsy:/Evidence# ls -ltr total 125829156 -r-------- 1 root root 128849018880 Feb 4 06:18 image.raw
We will use kpartx to create maps from the different partitions (https://www.systutorials.com/docs/linux/man/8-kpartx/).
root@autopsy:/Evidence# kpartx -v -a image.raw add map loop0p1 (253:0): 0 80262 linear 7:0 63 add map loop0p2 (253:1): 0 1542240 linear 7:0 80325 add map loop0p3 (253:2): 0 248445225 linear 7:0 1622565
With that we can easily mount the partitions read-only.
root@autopsy:/Evidence# mkdir p1 p2 p3 root@autopsy:/Evidence# mount /dev/mapper/loop0p1 /Evidence/p1 -o ro root@autopsy:/Evidence# mount /dev/mapper/loop0p2 /Evidence/p2 -o ro root@autopsy:/Evidence# mount /dev/mapper/loop0p3 /Evidence/p3 -o ro
And the mount command will confirm that the partitions are mounted read-only:
/dev/mapper/loop0p1 on /disk/Evidence/p1 type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro) /dev/mapper/loop0p2 on /disk/Evidence/p2 type fuseblk (ro,relatime,user_id=0,group_id=0,allow_other,blksize=4096) /dev/mapper/loop0p3 on /disk/Evidence/p3 type fuseblk (ro,relatime,user_id=0,group_id=0,allow_other,blksize=4096)
This it the Dell Utility partition.
root@autopsy:/Evidence/p1# ls -ltr total 116 -r-xr-xr-x 1 root root 23856 Aug 13 2008 DELLBIO.BIN -r-xr-xr-x 1 root root 30978 Aug 13 2008 DELLRMK.BIN -rwxr-xr-x 1 root root 57389 Aug 13 2008 COMMAND.COM -rwxr-xr-x 1 root root 7 Nov 25 2011 oobedone.flg
The Dell Recovery partition
root@autopsy:/Evidence/p2# ls -ltr total 396 drwxrwxrwx 1 root root 0 Nov 8 2011 recovery drwxrwxrwx 1 root root 0 Nov 9 2011 System Volume Information -rwxrwxrwx 1 root root 399860 Mar 23 2016 bootmgr drwxrwxrwx 1 root root 4096 Oct 18 2016 Boot
And the user partition, which is an NTFS drive on Windows 7 (in this particular case).
root@autopsy:/Evidence/p3# ls -ltr total 5809701 -rwxrwxrwx 1 root root 348160 Feb 21 2003 msvcr71.dll -rwxrwxrwx 1 root root 499712 Mar 18 2003 msvcp71.dll -rwxrwxrwx 1 root root 10 Jun 10 2009 config.sys -rwxrwxrwx 1 root root 24 Jun 10 2009 autoexec.bat drwxrwxrwx 1 root root 0 Jul 14 2009 PerfLogs lrwxrwxrwx 2 root root 60 Jul 14 2009 Documents and Settings -> /disk/Evidence/p3/Users drwxrwxrwx 1 root root 0 Nov 8 2011 Intel drwxrwxrwx 1 root root 0 Nov 8 2011 Apps drwxrwxrwx 1 root root 4096 Nov 9 2011 Drivers -rwxrwxrwx 1 root root 33595 Nov 9 2011 dell.sdr drwxrwxrwx 1 root root 0 May 22 2013 Media drwxrwxrwx 1 root root 0 May 22 2013 Infor -rwxrwxrwx 2 root root 0 May 26 2013 AdobeDebug.txt drwxrwxrwx 1 root root 0 Dec 21 2013 My Music drwxrwxrwx 1 root root 8192 Oct 22 2014 dell -rwxrwxrwx 2 root root 1117 Oct 23 2014 WirelessDiagLog.csv drwxrwxrwx 1 root root 4096 May 27 2016 TEMP drwxrwxrwx 1 root root 4096 May 15 2017 Users drwxrwxrwx 1 root root 1048576 Jan 21 08:05 Config.Msi drwxrwxrwx 1 root root 16384 Jan 30 07:32 System Volume Information -rwxrwxrwx 1 root root 2548744192 Jan 30 15:08 hiberfil.sys -rwxrwxrwx 1 root root 3398328320 Jan 30 15:08 pagefile.sys drwxrwxrwx 1 root root 4096 Jan 30 15:08 $RECYCLE.BIN drwxrwxrwx 1 root root 24576 Jan 30 15:35 Program Files drwxrwxrwx 1 root root 12288 Jan 30 15:35 ProgramData drwxrwxrwx 1 root root 32768 Jan 30 15:36 Windows
Shadow Copies
The shadow copy feature of NTFS allows for consistent backups using snapshots (normally via copy-on-write) , more on https://technet.microsoft.com/en-us/library/cc785914(v=ws.10).aspx
On Linux they can be accessed using libvshadow (https://github.com/libyal/libvshadow/) by Joachim Metz. The libyal projects contains lots of useful tools and libraries to do Windows forensics (https://github.com/libyal/libyal/wiki/Overview).
To install libvshadow, just clone the repository (git clone https://github.com/libyal/libvshadow.git), enter the libvshadow directory and then use
./synclibs.sh (to download other libyal libraries required to compile vshadow) ./autogen.sh ./configure make make install
This compiles and installs three tools: vshadowinfo, vshadowdebug and vshadowmount.
Using vshadowinfo on the NTFS mapped reference (/dev/mapper/loop0p3) we get the list of snapshots kept.In our case we have 4 snapshots available.
root@autopsy:/Evidence# vshadowinfo /dev/mapper/loop0p3 vshadowinfo 20180131 Volume Shadow Snapshot information: Number of stores: 4 Store: 1 Identifier : d83ccf3a-02b5-11e8-8413-60d819fb220c Shadow copy set ID : 0ccc573e-1a94-4a3f-8b73-09cff8e017f6 Creation time : Jan 26, 2018 16:59:26.506167100 UTC Shadow copy ID : 9346a26c-bcf5-460a-a7c6-103eff95c229 Volume size : 118 GiB (127200657408 bytes) Attribute flags : 0x0042000d Store: 2 Identifier : 283ab1ff-04bf-11e8-847d-60d819fb220c Shadow copy set ID : 2a58414c-73d1-4fa6-88ba-3159e436c8ff Creation time : Jan 29, 2018 06:41:50.850075800 UTC Shadow copy ID : 2dba8318-cd74-4db7-8c1c-b73c898e607f Volume size : 118 GiB (127200657408 bytes) Attribute flags : 0x00420000 Store: 3 Identifier : b16b4e23-0586-11e8-b294-028037ec0200 Shadow copy set ID : 30c54d23-d2d5-47d7-a573-245bc9e1dc25 Creation time : Jan 30, 2018 07:20:12.685589000 UTC Shadow copy ID : 59c30233-c180-4a0b-9485-4e1da4c572f3 Volume size : 118 GiB (127200657408 bytes) Attribute flags : 0x00420000 Store: 4 Identifier : b16b4e50-0586-11e8-b294-028037ec0200 Shadow copy set ID : a043dd79-367b-47c3-b80d-e6c8de2290a9 Creation time : Jan 30, 2018 07:32:19.055387400 UTC Shadow copy ID : f6be21a9-5e94-4855-9571-a87ec70a50f9 Volume size : 118 GiB (127200657408 bytes) Attribute flags : 0x00420000
Now the aim is to mount all these 4 snapshots simultaneously.
First we mount the list of VSS snapshots onto a directory, this will give us a list all all available snapshots as separate images.
root@autopsy:/Evidence# mkdir vssvolume root@autopsy:/Evidence# vshadowmount /dev/mapper/loop0p3 /Evidence/vssvolume/ vshadowmount 20180131 root@autopsy:/Evidence# ls -ltr vssvolume/ total 0 -r--r--r-- 1 root root 127200657408 Jan 1 1970 vss4 -r--r--r-- 1 root root 127200657408 Jan 1 1970 vss3 -r--r--r-- 1 root root 127200657408 Jan 1 1970 vss2 -r--r--r-- 1 root root 127200657408 Jan 1 1970 vss1
These are all NTFS filesystem images
root@autopsy:/Evidence/vssvolume# file * vss1: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 1622016, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 248438783, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 036644f70644f31c3; contains Microsoft Windows XP/VISTA bootloader BOOTMGR vss2: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 1622016, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 248438783, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 036644f70644f31c3; contains Microsoft Windows XP/VISTA bootloader BOOTMGR vss3: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 1622016, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 248438783, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 036644f70644f31c3; contains Microsoft Windows XP/VISTA bootloader BOOTMGR vss4: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 1622016, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 248438783, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 036644f70644f31c3; contains Microsoft Windows XP/VISTA bootloader BOOTMGR
And they can all be mounted or ingested into Autopsy directly.
root@autopsy:/Evidence# mkdir vsslogical root@autopsy:/Evidence# cd vsslogical/ root@autopsy:/Evidence/vsslogical# mkdir vss1 vss2 vss3 vss4 root@autopsy:/Evidence/vsslogical# mount -o ro /Evidence/vssvolume/vss1 /Evidence/vsslogical/vss1 root@autopsy:/Evidence/vsslogical# mount -o ro /Evidence/vssvolume/vss2 /Evidence/vsslogical/vss2 root@autopsy:/Evidence/vsslogical# mount -o ro /Evidence/vssvolume/vss3 /Evidence/vsslogical/vss3 root@autopsy:/Evidence/vsslogical# mount -o ro /Evidence/vssvolume/vss4 /Evidence/vsslogical/vss4
The mount command will confirm the distinct snapshots being mounted
/dev/loop1 124219388 107950748 16268640 87% /disk/Evidence/vsslogical/vss1 /dev/loop2 124219388 116865736 7353652 95% /disk/Evidence/vsslogical/vss2 /dev/loop3 124219388 116821364 7398024 95% /disk/Evidence/vsslogical/vss3 /dev/loop4 124219388 109264268 14955120 88% /disk/Evidence/vsslogical/vss4
We can confirm that the snapshots are indeed different and that the different datasets are available for investigations.
root@autopsy:/Evidence/vsslogical# ls -ltr vss1 total 5809701 -rwxrwxrwx 1 root root 348160 Feb 21 2003 msvcr71.dll -rwxrwxrwx 1 root root 499712 Mar 18 2003 msvcp71.dll -rwxrwxrwx 1 root root 10 Jun 10 2009 config.sys -rwxrwxrwx 1 root root 24 Jun 10 2009 autoexec.bat drwxrwxrwx 1 root root 0 Jul 14 2009 PerfLogs lrwxrwxrwx 2 root root 60 Jul 14 2009 Documents and Settings -> /disk/Evidence/vsslogical/vss1/Users drwxrwxrwx 1 root root 0 Nov 8 2011 Intel drwxrwxrwx 1 root root 0 Nov 8 2011 Apps drwxrwxrwx 1 root root 4096 Nov 9 2011 Drivers -rwxrwxrwx 1 root root 33595 Nov 9 2011 dell.sdr drwxrwxrwx 1 root root 0 May 22 2013 Media -rwxrwxrwx 2 root root 0 May 26 2013 AdobeDebug.txt drwxrwxrwx 1 root root 0 Dec 21 2013 My Music drwxrwxrwx 1 root root 8192 Oct 22 2014 dell -rwxrwxrwx 2 root root 1117 Oct 23 2014 WirelessDiagLog.csv drwxrwxrwx 1 root root 4096 May 27 2016 TEMP drwxrwxrwx 1 root root 4096 May 15 2017 Users drwxrwxrwx 1 root root 4096 Oct 10 11:04 $RECYCLE.BIN drwxrwxrwx 1 root root 12288 Nov 27 12:02 ProgramData drwxrwxrwx 1 root root 24576 Nov 27 12:06 Program Files drwxrwxrwx 1 root root 1048576 Jan 21 08:05 Config.Msi drwxrwxrwx 1 root root 32768 Jan 21 08:05 Windows -rwxrwxrwx 1 root root 2548744192 Jan 26 16:27 hiberfil.sys -rwxrwxrwx 1 root root 3398328320 Jan 26 16:27 pagefile.sys drwxrwxrwx 1 root root 16384 Jan 26 16:59 System Volume Information root@autopsy:/Evidence/vsslogical# ls -ltr vss4 total 5809701 -rwxrwxrwx 1 root root 348160 Feb 21 2003 msvcr71.dll -rwxrwxrwx 1 root root 499712 Mar 18 2003 msvcp71.dll -rwxrwxrwx 1 root root 10 Jun 10 2009 config.sys -rwxrwxrwx 1 root root 24 Jun 10 2009 autoexec.bat drwxrwxrwx 1 root root 0 Jul 14 2009 PerfLogs lrwxrwxrwx 2 root root 60 Jul 14 2009 Documents and Settings -> /disk/Evidence/vsslogical/vss4/Users drwxrwxrwx 1 root root 0 Nov 8 2011 Intel drwxrwxrwx 1 root root 0 Nov 8 2011 Apps drwxrwxrwx 1 root root 4096 Nov 9 2011 Drivers -rwxrwxrwx 1 root root 33595 Nov 9 2011 dell.sdr drwxrwxrwx 1 root root 0 May 22 2013 Media -rwxrwxrwx 2 root root 0 May 26 2013 AdobeDebug.txt drwxrwxrwx 1 root root 0 Dec 21 2013 My Music drwxrwxrwx 1 root root 8192 Oct 22 2014 dell -rwxrwxrwx 2 root root 1117 Oct 23 2014 WirelessDiagLog.csv drwxrwxrwx 1 root root 4096 May 27 2016 TEMP drwxrwxrwx 1 root root 4096 May 15 2017 Users drwxrwxrwx 1 root root 4096 Oct 10 11:04 $RECYCLE.BIN drwxrwxrwx 1 root root 12288 Nov 27 12:02 ProgramData drwxrwxrwx 1 root root 24576 Nov 27 12:06 Program Files drwxrwxrwx 1 root root 1048576 Jan 21 08:05 Config.Msi drwxrwxrwx 1 root root 32768 Jan 29 09:28 Windows -rwxrwxrwx 1 root root 2548744192 Jan 30 06:27 hiberfil.sys -rwxrwxrwx 1 root root 3398328320 Jan 30 06:27 pagefile.sys drwxrwxrwx 1 root root 16384 Jan 30 07:32 System Volume Information