Mounting images in a Linux distribution as part of a forensic investigation is very common. Sometimes we don’t have access to expensive license-based software such as Encase or X-Ways and our alternative is to leverage SANS SIFT Workstation or REMnux.
For this post, we are going to be using Ubuntu (the basis for SIFT) to demonstrate how to mount disk and memory images in E01, VMDK, RAW, dd and IMG formats.
The first command to run is file. Provide the name of your forensic image file (e.g. DiskCapture.<ext>) as the only parameter.
DiskImage.<ext>
EWF is short for Expert Witness Compression Format. It is a file type used to store media images for forensic purposes. It is currently widely used in the field of computer forensics in proprietary tooling like EnCase en FTK. The original specification of the format is provided by ASRDATA, for the SMART application.
To mount E01 files in Ubuntu, we need to leverage ewfmount. This tool creates a temporary mount point for the E01 (and related image files E02, E03 etc.) to be mounted in a single location.
sudo mkdir /mnt/ewfmount
sudo ewfmount DiskCapture.E01 /mnt/ewfmount
From the temporary location, we can then use mount with a series of flags/switches to access the filesystem of the captured disk drive.
sudo mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/ewfmount/ewf1 /mnt/mounted_image
ro: Mount image as read only to preserve forensic integrity.loop: The loop option means loop-back. Since there is no real device file in /dev for filesystems which exists only inside in a file, the kernel provides these loopback devices which act as a conduit for the filesystem-in-a-file.show_sys_files: This is an NTFS-specific option that will show “hidden” NTFS files.stream_interface=windows: used in order to be able to read data streams such ADS.Verify the disk has mounted successful by running ls on the destination directory.