Mounting The Szechuan Sauce (Case 001) E01 Files
Learning Objectives of Mounting E01
- Understand what an E01 File is and what it provides
- Be able to mount an E01 file in SIFT
Semi-Required Knowledge
- Computer memory (the RAM) basic knowledge
- Basic Linux Command Line Fu
- Basic Virtual Machine Operation
Common Tools
- EWF Mount
- Autopsy
Tools Covered Here
- ewfmount
- mmls
- mount
Other Learning Resources on this Topic
- Book: The little handbook of Windows Forensics: Just some random thoughts about Windows
- Book: Applied Incident Response
- YouTube: 13Cubed Triage Image Creation
- YouTube: 13Cubed – Getting Started with Plaso and Log2Timeline
- Article: Digital Forensics – Evidence Acquisition and EWF Mounting
Music
Notes
- Keep solid notes on your thinking around evidence and data that you find
- This is for teammates to understand your thinking
- Understand your own thinking later… or after sleep.
- Notes should be accompanied by screenshots that tell a story
- Examples: Highlights, Boxes, Arrows Text. The reader should quickly understand what they’re looking at
- A great note-keeping App that teams can use to coordinate is OneNote.
- Each host gets a tab etc.
- A great piece of software to take Screen Shots is Greenshot
What is the E01 File?
In short the E01 File is an “Expert Witness File Format”. It is a compressed image that provides a legally admissible bit for bit copy of the target hard drive when captured with the proper tool.
Introduction
Developed by ASR Data, the Expert Witness file format (aka E01 format aka EnCase file format) is an industry standard format for storing “forensic” images. The format allows a user to access arbitrary offsets in the uncompressed data without requiring decompression of the entire data stream. The specification does NOT provide for quantifyable assurance of integrity, it is up to the implementation to provide meaningful authentication for any data contained in an “evidence file”.
Overview
The Expert Witness Compression format can store a single image in one or more segment files.
What is E01 File ?
The E01 (Encase Image File Format) file keeps backup of various types of acquired digital evidences that includes disk imaging, storing of logical files, etc. When an investigator (or a Forensic Expert) uses Encase to create a backup of data available in the hard disk, a physical bit stream of the data is produced. This procedure is known as Disk Imaging. The basic theory behind the relation between the Encase and E01 image file format is that, while creating images of the data available on the hard disk, Encase divides the complete data into 640 MB of data chunks. Due to this division of data at the pause of 640 MB, multiple data files, storing crucial hard disk information, are created. The most peculiar feature of these files is that the name of the files remains the same (as named by the user) whereas the file extension changes.
For The Case of the Stolen Szechuan Sauce there was an E01 file provided for both the server and the client machine.
Mounting the E01’s
Mounting each E01 image is an identical process. The process is is simply this:
- Mount the E01 using EWFmount to
/mnt/ewf
- View the partition layout of the EWF file using
mmls
and note the start of the windows image - Mount the WIndows image in read only to
/mnt/windows_mount
- Mount additional drives in
/ewf_mount
,/e01
,/mnt/windows_mount1
etc.
Mount the EWF
To mount an E01 file of interest navigate to the directory where the E01 is stored. Then use ewfmount
to mount the image to one of the E01 mount points: /mnt/ewf
, /mnt/e01
or /mnt/ewf_mount
. You can also make more as needed, or use a naming convention that makes sense to you using the mkdir
command.
ewfmount ...
to let you know it mounted. Check with ll !$
.View Partition Layout
Use mmls
to view the layout of the EWF Image mounted at /mnt/ewf/ewf1
. The command is mmls /mnt/ewf/ewf1
. This will return a map of the image.
- Note the size of the sectors. In this case it is 512 bytes per sector.
- This is the starting sector for the first partition, or the boot partition, of the windows disk recovered from the Domain Controller/
- This is the first sector of the second partition, or the Operating System partition, of the windows disk recovered from the Domain Controller.
Mount the Windows Partition
To mount the different partitions found in the image use the following command and replace the byte count accordingly.
mount -t ntfs-3g -o loop,ro,show_sys_files,stream_interface=windows,offset=$((2048*512)) /mnt/ewf/ewf1 /mnt/windows_mount/
- Mount
-t ntfs-3g
: It’s an NTFS Drive- `
-o loop,ro,show_sys_files,stream_interface=windows,offset=$((2048*512))
: mount via a loop device, read only,show system files, read out ADFS streams, start the offset at byte number (2048 sectors of 512 bytes).
The analyst is now able to read out the contents of the boot sector by listing out the /mnt/windows_mount
directory.
The jucier details in this case however will be found in the Operating System partition. Either umount /mnt/windows_mount
and remount the operating system at that location, or simply mount the second partition at /mnt/windows_mount1
.
- Unmount the Boot Partition
- Mount the OS Partition using the First Sector of the OS Partition found with MMLS
- List out the contents and find a familiar windows C: Drive
Additional Mounts
Now use the same method to mount the Desktop E01 file to the /mnt/windows_mount1
. Attention to detail will be key here.
Unmounting the Images
Unmounting the drives is as simple as unmount
and going in reverse order.
Other Tools
A quick note – there is a great program called Autopsy that can be used to ingest the entire drive image. Once ingested it makes investigating the drive an easy task. That method will be discussed in a future article. For now this method is being used to get the analyst into a position to easily generate Super Timelines, investigate the registry, and other items that will require access to the drives.
Conclusion
E01 files offer a portable copy of a target drive using compression. Mounting the drive takes three easy steps. Now that the drives are mounted the analyst can use the tools found in REMnux and SIFT to investigate artifacts left behind on the hard drive. The analyst should always mount evidence using read only options even when they are not necessary. If you were successful in listing out the contents of the Operating System Partition you are ready to proceed.
Next Steps
Registry investigation as part of the Autoruns analysis.
Super Timeline Creation and Analysis.
When trying to mount the E01 files on the SIFT workstation I receive the error that NTFS signature is missing. Failed to mount ‘dev/loop21’ : invalid argument. How do I resolve this error?
Are you running as root, or elevating with sudo?
Also – not being snarky here, but did you Google the problem? In hacking/forensics/IT google is your best method for getting past an error code.
Awesome content. Thanks for providing such a concise explanation on how mounting works.
Thank you for the tutorial. (Previous question – check your file system offsets. Got the same error messages until I used the correct offsets.)
How we can mount an E01 on windows?