So I know there is plenty of documentation out there, but it always seems I have exceptions where these things never work 100% like that are supposed to. Hence I figure why not throw one more HOWTO to the mix, so if someone encounters the same issues they do not have to fret.
E01 files--
So the SANS blog covers this pretty well so I feel no need to expound on it too much. Here are my suggestions:
So now if you have created snapshots, you can only modify the last one, which in my case is 000022.vmdk, so it is telling me 'Sorry I can only mount the one you are asking for as read-only'. Which is fine for me!
The whole point of this was being able to run log2timeline-sift on more than just DD files, I think timeline is a great asset to have when you have a case. Running the tool seemed to work pretty well (ie no errors), but I might just test it but running all the commands myself and comparing the output. Has anyone ran into discrepancies between the automated and the DIY process of log2timeline?
UPDATE: If you get the same VixDiskLib error I did, check out this message board posting. Benichou's fix worked for me, pointing the links to the correct library. Score.
E01 files--
So the SANS blog covers this pretty well so I feel no need to expound on it too much. Here are my suggestions:
- Switch to root right away and save the heartache
- When using the mount command and mounting a NTFS, set the type as ntfs-3g
- I noticed SiFT 2.1 does not have ewfmount, has a better backup tool been installed in its place?
VMDK files--
So I had been pointed to a post on Digensics, but I had problems starting with mmls. I first discovered I had to add the '-i aff' parameter to get mmls to determine the disk structure of the vmdk file. And I do not know why, but mounting just was not working, even trying different options.
 |
| Sadly... I get this error a lot |
I needed to figure out a workaround. I found it here: the Virtual Disk Development Kit from VMWare. Download for your appropriate OS (in my case Linux), untar the file, then run the perl script 'vmware-install.pl'. Let her rip! This installs a few useful tools for us, but the one I am most interested in vmware-mount. You can see the documentation here.
So once the VDDK is installed you can invoke the vmware-mount command. The basic parameters it takes are:
vmware-mount diskPath [partition number] mountPointRead the documentation or just run 'vmware-mount' to see all the paramters it accepts. A useful one for forensics is the read-only parameter (-r). So I simply pointed it to my vmdk file and where I wanted it mounted on my Linux workstation.
 |
| Currently Trying to Figure Out How to Fix the Error... Still the Command DID Execute Successfully |
The whole point of this was being able to run log2timeline-sift on more than just DD files, I think timeline is a great asset to have when you have a case. Running the tool seemed to work pretty well (ie no errors), but I might just test it but running all the commands myself and comparing the output. Has anyone ran into discrepancies between the automated and the DIY process of log2timeline?
UPDATE: If you get the same VixDiskLib error I did, check out this message board posting. Benichou's fix worked for me, pointing the links to the correct library. Score.
5 comments:
Interesting, I haven't encountered that error using mount or had a problem viewing with mmls needing the '-i' switch. I wonder why it is different. O well..., name of the game I guess. I like the post, and thanks for linking to Digensics. I will post a follow up and link to your site.
Yeah, sometimes I think Linux just does not like me :-x However your post put me in the right direction, so much thanks for it! I guess as long we we end up at the right spot... how we got there is not a big deal? (There is some Machiavelli in there I know)
Great article! SIFT2.12 has ewfmount on it -> Latest version.
Oh... also NTFS-3g is the default detection for ntfs drives. So directly calling it out is truly optional as it will detect the ntfs drive and use the NTFS-3g capability. This is why show_sys_file and streams_interface=windows should still work.
Plan to also write a companion for split raw and AFF images as well. Basically the command is affuse.
Xmount should work too, but having some challenges with the latest version in the SIFT. Looking for help to sort that out.
Again great article... I didn't know about the VMware Dev Kit. Perfect companion tool.
Rob-- awesome thanks for the insight! I was actually looking at xmount as you posted that as another options. It created a dd file however ran I ran 'file' or 'mmls' it could not figure out what it was. TBH I didn't try to mount it. I will have to check and see what version I have of SIFT... regardless you rock coming up with an amazing tool for the community. MUCH mahalo :)
I will play with xmount and if I make any discoveries you will be the first to know.
Post a Comment