Study a Disk Image
This section explains how to analyze a disk image securely.
There lots of types of disk images. We can list the most recurrent :
- filesystem data
- DOS/MBR boot sector : it is the first sector addressable in a hard disk
- EWF/Expert Witness/EnCase image file format : contains the contents and structure of a disk volume for example
For example :
$ file *
disk1.img: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "mkfs.fat", sectors/cluster 4, root entries 512, Media descriptor 0xf8, sectors/FAT 200, sectors/track 32, heads 64, sectors 204800 (volumes > 32 MB), serial number 0x2b912b13, unlabeled, FAT (16 bit)
disk2.img: Linux rev 1.0 ext4 filesystem data, UUID=7bdf2aae-558e-4f2b-86aa-ae5e3b238f1c (extents) (large files) (huge files)
disk3.e01: EWF/Expert Witness/EnCase image file format
Mount in Read-Only
To look in a disk image, the first step is mounting the filesystem in read-only to avoid a virus contained in the disk image to spread. Then, you can analyze it like a normal filesystem :
$ mkdir mount
$ sudo mount -r disk.img mount/
$ cd disk2/
$ [...]
$ cd ..
$ sudo umount disk2
For a EWF/expert Witness/EnCase image file, you can not use mount
. The only way is :
$ mkdir mount
$ ewfmount disk3.e01 mount/
Extract deleted files
- You can list files and folders with
fls
. Deleted files are mentioned by a*
$ fls -r disk1.img
r/r 5: Document confidentiel.docx
r/r * 7: virus.exe
v/v 3270387: $MBR
v/v 3270388: $FAT1
v/v 3270389: $FAT2
V/V 3270390: $OrphanFiles
So You can extract files with icat
:
$ icat disk1.img 7 > virus_extraction.exe
- To have the list of deleted files :
fls -d -p disk1.img
- To see all inodes :
$ ils disk1.img -a
A Write-up is available here to explain an use.
Written on June 9, 2020