Media forensics February 20, 2018

A place where evidence handling shines on Linux is the ability to safely mount full disk images using loopback devices. This post will explain how to simply mount the different partitions within a read-only image and then access different Virtual Shadow Copies (VSS) for NTFS partitions.

Test case: A 120GB full disk image

Over the course of a forensic analysis we found a 120GB raw image of a full disk. The file command states that it contains three partitions

$ file image.raw 

image.raw: DOS/MBR boot sector MS-MBR Vista english at offset 0x162 "Invalid partition table" at offset 0x17a "Error loading operating system" at offset 0x199 "Missing operating system", disk signature 0x19f8f2fb; 
partition 1 : ID=0xde, start-CHS (0x0,1,1), end-CHS (0x4,254,63), startsector 63, 80262 sectors; 
partition 2 : ID=0x7, active, start-CHS (0x5,0,1), end-CHS (0x64,254,63), startsector 80325, 1542240 sectors; 
partition 3 : ID=0x7, start-CHS (0x65,0,1), end-CHS (0x3ff,254,63), startsector 1622565, 248445225 sectors

In linux we can run fdisk directly on the image with the “-l” option in order to list the partition table in order to verify.

root@autopsy:/Evidence# fdisk -l image.raw
Disk image.raw: 120 GiB, 128849018880 bytes, 251658240 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x19f8f2fb
Device Boot Start End Sectors Size Id Type
image.raw1 63 80324 80262 39.2M de Dell Utility
image.raw2 * 80325 1622564 1542240 753M 7 HPFS/NTFS/exFAT
image.raw3 1622565 250067789 248445225 118.5G 7 HPFS/NTFS/exFAT

 

This is a typical Dell laptop drive image with three partitions: Dell Utility (with type de), Dell recovery and the user partition. So far so good.

Lets make sure the partition image is read-only.

root@autopsy:/Evidence# chmod 400 image.raw 
root@autopsy:/Evidence# ls -ltr
total 125829156
-r-------- 1 root root 128849018880 Feb 4 06:18 image.raw

We will use kpartx to create maps from the different partitions (https://www.systutorials.com/docs/linux/man/8-kpartx/).

root@autopsy:/Evidence# kpartx -v -a image.raw 
add map loop0p1 (253:0): 0 80262 linear 7:0 63
add map loop0p2 (253:1): 0 1542240 linear 7:0 80325
add map loop0p3 (253:2): 0 248445225 linear 7:0 1622565

With that we can easily mount the partitions read-only.

root@autopsy:/Evidence# mkdir p1 p2 p3

root@autopsy:/Evidence# mount /dev/mapper/loop0p1 /Evidence/p1 -o ro
root@autopsy:/Evidence# mount /dev/mapper/loop0p2 /Evidence/p2 -o ro
root@autopsy:/Evidence# mount /dev/mapper/loop0p3 /Evidence/p3 -o ro

And the mount command will confirm that the partitions are mounted read-only:

/dev/mapper/loop0p1 on /disk/Evidence/p1 type vfat (ro,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
/dev/mapper/loop0p2 on /disk/Evidence/p2 type fuseblk (ro,relatime,user_id=0,group_id=0,allow_other,blksize=4096)
/dev/mapper/loop0p3 on /disk/Evidence/p3 type fuseblk (ro,relatime,user_id=0,group_id=0,allow_other,blksize=4096)

 

This it the Dell Utility partition.

root@autopsy:/Evidence/p1# ls -ltr
total 116
-r-xr-xr-x 1 root root 23856 Aug 13 2008 DELLBIO.BIN
-r-xr-xr-x 1 root root 30978 Aug 13 2008 DELLRMK.BIN
-rwxr-xr-x 1 root root 57389 Aug 13 2008 COMMAND.COM
-rwxr-xr-x 1 root root 7 Nov 25 2011 oobedone.flg

 

The Dell Recovery partition

root@autopsy:/Evidence/p2# ls -ltr
total 396
drwxrwxrwx 1 root root 0 Nov 8 2011 recovery
drwxrwxrwx 1 root root 0 Nov 9 2011 System Volume Information
-rwxrwxrwx 1 root root 399860 Mar 23 2016 bootmgr
drwxrwxrwx 1 root root 4096 Oct 18 2016 Boot

 

And the user partition, which is an NTFS drive on Windows 7 (in this particular case).

root@autopsy:/Evidence/p3# ls -ltr
total 5809701
-rwxrwxrwx 1 root root 348160 Feb 21 2003 msvcr71.dll
-rwxrwxrwx 1 root root 499712 Mar 18 2003 msvcp71.dll
-rwxrwxrwx 1 root root 10 Jun 10 2009 config.sys
-rwxrwxrwx 1 root root 24 Jun 10 2009 autoexec.bat
drwxrwxrwx 1 root root 0 Jul 14 2009 PerfLogs
lrwxrwxrwx 2 root root 60 Jul 14 2009 Documents and Settings -> /disk/Evidence/p3/Users
drwxrwxrwx 1 root root 0 Nov 8 2011 Intel
drwxrwxrwx 1 root root 0 Nov 8 2011 Apps
drwxrwxrwx 1 root root 4096 Nov 9 2011 Drivers
-rwxrwxrwx 1 root root 33595 Nov 9 2011 dell.sdr
drwxrwxrwx 1 root root 0 May 22 2013 Media
drwxrwxrwx 1 root root 0 May 22 2013 Infor
-rwxrwxrwx 2 root root 0 May 26 2013 AdobeDebug.txt
drwxrwxrwx 1 root root 0 Dec 21 2013 My Music
drwxrwxrwx 1 root root 8192 Oct 22 2014 dell
-rwxrwxrwx 2 root root 1117 Oct 23 2014 WirelessDiagLog.csv
drwxrwxrwx 1 root root 4096 May 27 2016 TEMP
drwxrwxrwx 1 root root 4096 May 15 2017 Users
drwxrwxrwx 1 root root 1048576 Jan 21 08:05 Config.Msi
drwxrwxrwx 1 root root 16384 Jan 30 07:32 System Volume Information
-rwxrwxrwx 1 root root 2548744192 Jan 30 15:08 hiberfil.sys
-rwxrwxrwx 1 root root 3398328320 Jan 30 15:08 pagefile.sys
drwxrwxrwx 1 root root 4096 Jan 30 15:08 $RECYCLE.BIN
drwxrwxrwx 1 root root 24576 Jan 30 15:35 Program Files
drwxrwxrwx 1 root root 12288 Jan 30 15:35 ProgramData
drwxrwxrwx 1 root root 32768 Jan 30 15:36 Windows

 

Shadow Copies

The shadow copy feature of NTFS allows for consistent backups using snapshots (normally via copy-on-write) , more on https://technet.microsoft.com/en-us/library/cc785914(v=ws.10).aspx

On Linux they can be accessed using libvshadow (https://github.com/libyal/libvshadow/) by Joachim Metz. The libyal projects contains lots of useful tools and libraries to do Windows forensics (https://github.com/libyal/libyal/wiki/Overview).

To install libvshadow, just clone the repository (git clone https://github.com/libyal/libvshadow.git), enter the libvshadow directory and then use

./synclibs.sh (to download other libyal libraries required to compile vshadow)
./autogen.sh 
./configure
make
make install

This compiles and installs three tools: vshadowinfo, vshadowdebug and vshadowmount.

Using vshadowinfo on the NTFS mapped reference (/dev/mapper/loop0p3) we get the list of snapshots kept.In our case we have 4 snapshots available.

root@autopsy:/Evidence# vshadowinfo /dev/mapper/loop0p3 
vshadowinfo 20180131

Volume Shadow Snapshot information:
 Number of stores: 4

Store: 1
 Identifier : d83ccf3a-02b5-11e8-8413-60d819fb220c
 Shadow copy set ID : 0ccc573e-1a94-4a3f-8b73-09cff8e017f6
 Creation time : Jan 26, 2018 16:59:26.506167100 UTC
 Shadow copy ID : 9346a26c-bcf5-460a-a7c6-103eff95c229
 Volume size : 118 GiB (127200657408 bytes)
 Attribute flags : 0x0042000d

Store: 2
 Identifier : 283ab1ff-04bf-11e8-847d-60d819fb220c
 Shadow copy set ID : 2a58414c-73d1-4fa6-88ba-3159e436c8ff
 Creation time : Jan 29, 2018 06:41:50.850075800 UTC
 Shadow copy ID : 2dba8318-cd74-4db7-8c1c-b73c898e607f
 Volume size : 118 GiB (127200657408 bytes)
 Attribute flags : 0x00420000

Store: 3
 Identifier : b16b4e23-0586-11e8-b294-028037ec0200
 Shadow copy set ID : 30c54d23-d2d5-47d7-a573-245bc9e1dc25
 Creation time : Jan 30, 2018 07:20:12.685589000 UTC
 Shadow copy ID : 59c30233-c180-4a0b-9485-4e1da4c572f3
 Volume size : 118 GiB (127200657408 bytes)
 Attribute flags : 0x00420000

Store: 4
 Identifier : b16b4e50-0586-11e8-b294-028037ec0200
 Shadow copy set ID : a043dd79-367b-47c3-b80d-e6c8de2290a9
 Creation time : Jan 30, 2018 07:32:19.055387400 UTC
 Shadow copy ID : f6be21a9-5e94-4855-9571-a87ec70a50f9
 Volume size : 118 GiB (127200657408 bytes)
 Attribute flags : 0x00420000

 

Now the aim is to mount all these 4 snapshots simultaneously.

First we mount the list of VSS snapshots onto a directory, this will give us a list all all available snapshots as separate images.

root@autopsy:/Evidence# mkdir vssvolume
root@autopsy:/Evidence# vshadowmount /dev/mapper/loop0p3 /Evidence/vssvolume/
vshadowmount 20180131

root@autopsy:/Evidence# ls -ltr vssvolume/
total 0
-r--r--r-- 1 root root 127200657408 Jan 1 1970 vss4
-r--r--r-- 1 root root 127200657408 Jan 1 1970 vss3
-r--r--r-- 1 root root 127200657408 Jan 1 1970 vss2
-r--r--r-- 1 root root 127200657408 Jan 1 1970 vss1

 

These are all NTFS filesystem images

root@autopsy:/Evidence/vssvolume# file *
 vss1: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 1622016, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 248438783, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 036644f70644f31c3; contains Microsoft Windows XP/VISTA bootloader BOOTMGR
 vss2: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 1622016, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 248438783, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 036644f70644f31c3; contains Microsoft Windows XP/VISTA bootloader BOOTMGR
 vss3: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 1622016, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 248438783, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 036644f70644f31c3; contains Microsoft Windows XP/VISTA bootloader BOOTMGR
 vss4: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 1622016, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 248438783, $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 036644f70644f31c3; contains Microsoft Windows XP/VISTA bootloader BOOTMGR

 

And they can all be mounted or ingested into Autopsy directly.

root@autopsy:/Evidence# mkdir vsslogical

root@autopsy:/Evidence# cd vsslogical/
root@autopsy:/Evidence/vsslogical# mkdir vss1 vss2 vss3 vss4

root@autopsy:/Evidence/vsslogical# mount -o ro /Evidence/vssvolume/vss1 /Evidence/vsslogical/vss1
root@autopsy:/Evidence/vsslogical# mount -o ro /Evidence/vssvolume/vss2 /Evidence/vsslogical/vss2
root@autopsy:/Evidence/vsslogical# mount -o ro /Evidence/vssvolume/vss3 /Evidence/vsslogical/vss3
root@autopsy:/Evidence/vsslogical# mount -o ro /Evidence/vssvolume/vss4 /Evidence/vsslogical/vss4

The mount command will confirm the distinct snapshots being mounted

/dev/loop1 124219388 107950748 16268640 87% /disk/Evidence/vsslogical/vss1
/dev/loop2 124219388 116865736 7353652 95% /disk/Evidence/vsslogical/vss2
/dev/loop3 124219388 116821364 7398024 95% /disk/Evidence/vsslogical/vss3
/dev/loop4 124219388 109264268 14955120 88% /disk/Evidence/vsslogical/vss4

We can confirm that the snapshots are indeed different and that the different datasets are available for investigations.

root@autopsy:/Evidence/vsslogical# ls -ltr vss1
total 5809701
-rwxrwxrwx 1 root root 348160 Feb 21 2003 msvcr71.dll
-rwxrwxrwx 1 root root 499712 Mar 18 2003 msvcp71.dll
-rwxrwxrwx 1 root root 10 Jun 10 2009 config.sys
-rwxrwxrwx 1 root root 24 Jun 10 2009 autoexec.bat
drwxrwxrwx 1 root root 0 Jul 14 2009 PerfLogs
lrwxrwxrwx 2 root root 60 Jul 14 2009 Documents and Settings -> /disk/Evidence/vsslogical/vss1/Users
drwxrwxrwx 1 root root 0 Nov 8 2011 Intel
drwxrwxrwx 1 root root 0 Nov 8 2011 Apps
drwxrwxrwx 1 root root 4096 Nov 9 2011 Drivers
-rwxrwxrwx 1 root root 33595 Nov 9 2011 dell.sdr
drwxrwxrwx 1 root root 0 May 22 2013 Media
-rwxrwxrwx 2 root root 0 May 26 2013 AdobeDebug.txt
drwxrwxrwx 1 root root 0 Dec 21 2013 My Music
drwxrwxrwx 1 root root 8192 Oct 22 2014 dell
-rwxrwxrwx 2 root root 1117 Oct 23 2014 WirelessDiagLog.csv
drwxrwxrwx 1 root root 4096 May 27 2016 TEMP
drwxrwxrwx 1 root root 4096 May 15 2017 Users
drwxrwxrwx 1 root root 4096 Oct 10 11:04 $RECYCLE.BIN
drwxrwxrwx 1 root root 12288 Nov 27 12:02 ProgramData
drwxrwxrwx 1 root root 24576 Nov 27 12:06 Program Files
drwxrwxrwx 1 root root 1048576 Jan 21 08:05 Config.Msi
drwxrwxrwx 1 root root 32768 Jan 21 08:05 Windows
-rwxrwxrwx 1 root root 2548744192 Jan 26 16:27 hiberfil.sys
-rwxrwxrwx 1 root root 3398328320 Jan 26 16:27 pagefile.sys
drwxrwxrwx 1 root root 16384 Jan 26 16:59 System Volume Information


root@autopsy:/Evidence/vsslogical# ls -ltr vss4
total 5809701
-rwxrwxrwx 1 root root 348160 Feb 21 2003 msvcr71.dll
-rwxrwxrwx 1 root root 499712 Mar 18 2003 msvcp71.dll
-rwxrwxrwx 1 root root 10 Jun 10 2009 config.sys
-rwxrwxrwx 1 root root 24 Jun 10 2009 autoexec.bat
drwxrwxrwx 1 root root 0 Jul 14 2009 PerfLogs
lrwxrwxrwx 2 root root 60 Jul 14 2009 Documents and Settings -> /disk/Evidence/vsslogical/vss4/Users
drwxrwxrwx 1 root root 0 Nov 8 2011 Intel
drwxrwxrwx 1 root root 0 Nov 8 2011 Apps
drwxrwxrwx 1 root root 4096 Nov 9 2011 Drivers
-rwxrwxrwx 1 root root 33595 Nov 9 2011 dell.sdr
drwxrwxrwx 1 root root 0 May 22 2013 Media
-rwxrwxrwx 2 root root 0 May 26 2013 AdobeDebug.txt
drwxrwxrwx 1 root root 0 Dec 21 2013 My Music
drwxrwxrwx 1 root root 8192 Oct 22 2014 dell
-rwxrwxrwx 2 root root 1117 Oct 23 2014 WirelessDiagLog.csv
drwxrwxrwx 1 root root 4096 May 27 2016 TEMP
drwxrwxrwx 1 root root 4096 May 15 2017 Users
drwxrwxrwx 1 root root 4096 Oct 10 11:04 $RECYCLE.BIN
drwxrwxrwx 1 root root 12288 Nov 27 12:02 ProgramData
drwxrwxrwx 1 root root 24576 Nov 27 12:06 Program Files
drwxrwxrwx 1 root root 1048576 Jan 21 08:05 Config.Msi
drwxrwxrwx 1 root root 32768 Jan 29 09:28 Windows
-rwxrwxrwx 1 root root 2548744192 Jan 30 06:27 hiberfil.sys
-rwxrwxrwx 1 root root 3398328320 Jan 30 06:27 pagefile.sys
drwxrwxrwx 1 root root 16384 Jan 30 07:32 System Volume Information

 

No Comments

You may also like this

  • Travel Forensics kit

  • Live data capture – Windows computers

  • Digital signatures of forensic images

    • Leave a Reply