In the previous post, we learned about the disk and the Master Boot Record (MBR), let's now mount that disk, so that we can analyze its contents.
Before mounting, let's once again take a look at the drive to see where the partitions starts.
kali@securitynik:~/forensics$ sudo fdisk --list linux_mint_usb.raw Disk linux_mint_usb.raw: 29.3 GiB, 31457280000 bytes, 61440000 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x00051443 Device Boot Start End Sectors Size Id Type linux_mint_usb.raw1 2048 61437951 61435904 29.3G c W95 FAT32 (LBA)
Above, we see one one partition, which has a "Start" sector 2048. To get the actual byte position, multiply 2048*512. 512 once again being the size of the sectors.
512*2048 = 1,048,576
Taking a look at this sector with XXD before mounting, we see:
kali@securitynik:~/forensics$ xxd --seek 1048576 --length 512 linux_mint_usb.raw | more 00100000: eb58 904d 5344 4f53 352e 3000 0220 e00a .X.MSDOS5.0.. .. 00100010: 0200 0000 00f8 0000 3f00 ff00 0008 0000 ........?....... 00100020: 0070 a903 903a 0000 0000 0000 0200 0000 .p...:.......... 00100030: 0100 0600 0000 0000 0000 0000 0000 0000 ................ 00100040: 8000 2980 b481 fc4e 4f20 4e41 4d45 2020 ..)....NO NAME 00100050: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4 FAT32 3..... 00100060: 7b8e c18e d9bd 007c 8856 4088 4e02 8a56 {......|.V@.N..V 00100070: 40b4 41bb aa55 cd13 7210 81fb 55aa 750a @.A..U..r...U.u. 00100080: f6c1 0174 05fe 4602 eb2d 8a56 40b4 08cd ...t..F..-.V@... 00100090: 1373 05b9 ffff 8af1 660f b6c6 4066 0fb6 .s......f...@f.. 001000a0: d180 e23f f7e2 86cd c0ed 0641 660f b7c9 ...?.......Af... 001000b0: 66f7 e166 8946 f883 7e16 0075 3983 7e2a f..f.F..~..u9.~* 001000c0: 0077 3366 8b46 1c66 83c0 0cbb 0080 b901 .w3f.F.f........ 001000d0: 00e8 2c00 e9a8 03a1 f87d 80c4 7c8b f0ac ..,......}..|... 001000e0: 84c0 7417 3cff 7409 b40e bb07 00cd 10eb ..t.<.t......... 001000f0: eea1 fa7d ebe4 a17d 80eb df98 cd16 cd19 ...}...}........ 00100100: 6660 807e 0200 0f84 2000 666a 0066 5006 f`.~.... .fj.fP. 00100110: 5366 6810 0001 00b4 428a 5640 8bf4 cd13 Sfh.....B.V@.... 00100120: 6658 6658 6658 6658 eb33 663b 46f8 7203 fXfXfXfX.3f;F.r. 00100130: f9eb 2a66 33d2 660f b74e 1866 f7f1 fec2 ..*f3.f..N.f.... 00100140: 8aca 668b d066 c1ea 10f7 761a 86d6 8a56 ..f..f....v....V 00100150: 408a e8c0 e406 0acc b801 02cd 1366 610f @............fa. 00100160: 8274 ff81 c300 0266 4049 7594 c342 4f4f .t.....f@Iu..BOO 00100170: 544d 4752 2020 2020 0000 0000 0000 0000 TMGR ........ 00100180: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00100190: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 001001a0: 0000 0000 0000 0000 0000 0000 0d0a 4469 ..............Di 001001b0: 736b 2065 7272 6f72 ff0d 0a50 7265 7373 sk error...Press 001001c0: 2061 6e79 206b 6579 2074 6f20 7265 7374 any key to rest 001001d0: 6172 740d 0a00 0000 0000 0000 0000 0000 art............. 001001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 001001f0: 0000 0000 0000 0000 ac01 b901 0000 55aa ..............U.
First create a directory which will be used as your mount target
kali@securitynik:~/forensics$ mkdir usb
Let's now mount the drive:
kali@securitynik:~/forensics$ sudo mount --read-only --verbose --options noatime,nodiratime,loop,offset=1048576 --source linux_mint_usb.raw --target usb/ mount: /dev/loop0 mounted on /home/kali/forensics/usb.
Here is what the above does
mount - mount the drive
--read-only - mount the drive as read only
--verbose - print the informational message, for each successful mount
--options
noatime - Do not update the access timestamps when the file is read
nodiratime - Do not update the directory inode access times on this file system
loop - sets up a loop device to correspond to the image file "linux_mint_usb.raw" and then mount that image to "--target usb/"
We can confirm this loop device as follows:
kali@securitynik:~/forensics$ df --human-readable --type vfat --print-type Filesystem Type Size Used Avail Use% Mounted on /dev/loop0 vfat 30G 12G 19G 38% /home/kali/forensics/usb
offset=1048576 - mount the drive at this offset
--source linux_mint_usb.raw - The source image which was created.
--target usb/ - The location to which this drive will be mounted.
Now that we know the drive has been mounted, we can now verify we have access
kali@securitynik:~/forensics$ ls usb/ Fido-Apr04_2020-1.pdf LINUX PortablApps 'System Volume Information' Girls Nakia 'SANS SEC582 - Labs and Challenges PDFs' tshark
Let's now export all the files, printing out information relating to the file's last status changed date (%Cx), last status changed time (%CT), last access date (%Ax), last access time (%AT), last modification time (%Tx), last modification time (%TT), file permissions (%m), file numeric user id (%U), username (%u), group id (%G), group name (%u), size (%s), path (%P) and finally put ever entry on a new line (\n)
kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" | more
Here is a snapshot of what the output looks like.
kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" | more 12/31/1969|19:00:00.0000000000|12/31/1969|19:00:00.0000000000|12/31/1969|19:00:00.0000000000|755|0|root|0|root|16384| 04/06/2020|13:58:31.2200000000|04/05/2020|20:00:00.0000000000|04/06/2020|13:58:32.0000000000|755|0|root|0|root|16384|System Volume Information 04/06/2020|13:58:31.2500000000|05/13/2020|20:00:00.0000000000|04/06/2020|13:58:32.0000000000|755|0|root|0|root|12|System Vo lume Information/WPSettings.dat 04/06/2020|20:14:57.0700000000|04/06/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|16384|System Volume Information/ClientRecoveryPasswordRotation 04/06/2020|20:14:57.1400000000|04/06/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|16384|System Volume Information/AadRecoveryPasswordDelete 04/06/2020|20:14:57.4300000000|05/13/2020|20:00:00.0000000000|04/06/2020|20:14:58.0000000000|755|0|root|0|root|76|System Vo lume Information/IndexerVolumeGuid 04/07/2020|20:39:36.0000000000|04/07/2020|20:00:00.0000000000|04/07/2020|20:39:36.0000000000|755|0|root|0|root|16384|Nakia 04/07/2020|20:38:04.0000000000|05/12/2020|20:00:00.0000000000|04/07/2020|20:38:04.0000000000|755|0|root|0|root|1387601|Naki a/Nakia code dot org certificate.pdf 04/07/2020|20:38:04.0000000000|05/12/2020|20:00:00.0000000000|04/07/2020|20:38:04.0000000000|755|0|root|0|root|766251|Nakia /Nakia_code-org-blank_certificate.png ....
Let's now redirect this output to a file for later analysis.
kali@securitynik:~/forensics$ find usb/ -printf "%Cx|%CT|%Ax|%AT|%Tx|%TT|%m|%U|%u|%G|%g|%s|%P\n" > linux_mint_files_export.txt
Once the contents are all in the file, we can then check to see how many lines were written as follows:
kali@securitynik:~/forensics$ cat linux_mint_files_export.txt | wc --lines 106191
Looks like we have about 106,191 entries.
You can now take this file and open it with spreadsheet document or even a database to perform analysis.
From our exported results, let's find a file of interest to learn about its activities in the next post.
An important takeaway for above, is that the data which was retrieved was from "allocated" space. That means, files which might have been deleted, are more than likely not going to be seen within this output. Thus you may wish to use another tool such as Autopsy or the SleuthKit to get a better handle on the information on the disk. Keep these things in mind as you perform your file systems forensics.
P.S. Not sure if you noticed it but I changed disks from the previous posts. However, the concepts remain the same.
Post in this series:
This comment has been removed by a blog administrator.
ReplyDelete