Multiple Ways to Mount Raw Images (Windows)

In this article, we are going to learn how we can mount a forensic image in Windows Machine. There are multiple ways to accomplish this and tools like OSF Mount, Arsenal etc. will help us in this process. So, Let’s Start.

Table of Content

  • Introduction
  • Why Mount an Image?
  • Mounting Tools
    • Mount Image Pro
    • OSF Mount
    • Arsenal Image Mounter
    • Access Data FTK Imager

Introduction

In the Cyber Forensic world, a forensic image is a complete sector by sector copy of a hard drive or external drive. Generally, a forensic image is used as evidence in forensic investigation. These images include unlocated space, slack space and boot records. Some computer forensic tool uses different formats to generate a forensic image.

Some common forensic images formats are RAW, E01, AFF, etc. We can use a variety of tools to analyze and mount that image to get better investigative results.

Why Mount an Image?

Mounting is the process that converts a RAW logical image into a mounted directory. To better examine a forensic image mounting is preferred. There are various tools that can be used to mount a RAW image. Let’s Learn the process of mounting using this variety of tools. Although the basic procedure is the same there are times where an investigator finds himself in a situation where he/she cannot use their preferred tool. Also, Each investigative company uses different tools. So a good investigator should know all the different types of tools to widen their ability and robustness.

Tool #1: Mount Image Pro

Mount Image Pro is a tool, which is quite useful in Forensic investigations. It enables the mounting image across all the forensic image extensions. Some of them are:

  • .RAW
  • .E01 (Encase Image)
  • .A01
  • .dd

This tool is developed by GetData. They are Renowned Provider of User-End software. That provides Data Recovery, File Recovery, Computer Forensics and File Previewing. Their products are designed for getting data back from systems and their hard drives.

We can download the mount image pro from here.

Once downloaded the mount image pro, then launch tool using the Icon created on the Desktop. After launching the app, we need to press the Mount icon to get started.

We can also click on the File from the Dropdown menu. Go for the “Mount Image File” Option to move ahead.

After this, we need to select our digital image file on our hard drive. After selecting the image file, we need to click on the “Open” button to open the image file.

Now, we need to select a bunch of options to get started. First one is How we want to mount our image? We want the image to be mounted and shown as a partition in our Explorer. Hence we choose the Disk Option. If you want to investigate the image as a Directory choose File System. Followed by this is the location where we want to mount. If we choose the File System Option, we need to specify the Destination Directory. Here we can Choose an Alphabet which would act as Drive Letter (such as Local Disk D: or E: etc.). Next, we get to Disk options panel here, we checked plug and play so that the dismount is easier. Now we select the kind of access that we want to get. We choose the Read-Only Access. We can also customize the Sector Size of the Partition. After giving all the required details press the OK button.

After this, mounting will starts and we get a live progression of the process through the status bar as depicted below.

After completion, we will get our mounted image and we can start our investigation.

As the screenshot suggests it mounted our forensic image as F drive. Now, we can analyze it and get the same view from the files as its user gets in its system.

Tool #2: OSF Mount

OSF Mount is the software that allows us to mount local disk image files (sector by sector copies off an entire disk or disk partition) in windows system.  We can then analyze the disk with its other tool which is OS Forensics. By default, the image files are mounted as read-only so that our original image files do not get altered.

This software supports mounting disk images files in any mode, whether we want them in the read-only mode, write mode in write cache mode.

We can download OSF mount from here.

Let’s Begin with opening the OSF mount after completing its installation process. The developers at PassMark gave us a neat UI to work upon. We have a very minimalistic interface here. To begin with, we will hit the “Mount New” Button.

After that, we follow a series of steps where we fill in the required details.

Step #1: We need to provide the source of the image file to mount for our investigation.

After filling in details, we hit the Next button.

Step #2: We need to select if we want a specific partition or we want the entire image mounted for investigation.

After that step, we need to finalize things. In the last step, we need to select a few details regarding our image. These are some additional features that we want to include in our process or not. These features include if we want to mount our image as a removable media or not, the Drive type, the Drive letter, Drive emulations, etc.

After filling all details and completing all steps click on the mount button to start mounting the image file.

Now as shown in the image given below we have the image successfully mounted and ready for the analysis.

We can also check the working of the mounted image file by opening the mounted image in the File Explorer as shown in the image given below:

Tool #3: Arsenal Image Mounter

Arsenal image mounter handles the disk images as a whole drive. As far as Windows system is concerned, the contents of disk images mounted by AIM are real SCSI disk, which allows its users to take advantage from some disk specific features like Integration with Disk Manager and Access to volume shadow copies and much more.

Many of the image mounting solutions in the market contents of disk images as share and partition rather than complete disk. Which some times limits their usefulness to digital forensics practitioners or investigators. If AIM is running without a license, it will run in free mode and provide core functionalities. If it is licensed, it will run in professional mode with full functionalities enabled.

We can download our Arsenal Image Mounter from here.

After downloading and completing its installation process, We can open this software and start mounting an image file. After opening that software click on the “Mount disk image” button.

Now we have some details to fill in. We are asked about the mode in which we want to see our mounted image or what type of device it has to be. We can choose Read Only or Writable among other options. We are also required to fill in the Sector Size and Click on the Create “removable” disk device for a better mounting process. After filling up all the details click on the OK button to move further.

After this our disk is mounted successfully, we will get all the details regarding that with that mounted message.

Now we check if our image is successfully mounted as a removable device in our system. After checking that, now we can finally start our investigation process.

Tool #4: Access Data FTK Imager

Access Data believes that zero is on the relevant evidence quickly, conduct faster searches and dramatically increase analysis speed with FTK. FTK uses distributed processing and it is a solution to fully leverage multi-core and multi-thread computers. While other tools waste the usage of modern hardware solutions. Where FTK try to use 100 per cent of its hardware resources for trying to help in the investigation process.

FTK provides faster searching in comparison to other solutions. FTK is truly database-driven, all data is stored securely and centrally, which allows our teams to use the same database that reduces cost creating multiple data sets.

We can download our access data FTK Imager from here.

After finishing up the installation process, Open the software to move further ahead.

Now, click on the File option from Menu and Select the “Image Mounting” option to start the image mounting process.

Now we explore the Add Image file option. We browse the image file in the system, then fill up the details like image file mount type, its drive letter, and its mount method.

After filling up all mandatory details regarding the process, click on the Mount button to start the mounting process.  

It takes some time to mount an image, but after finishing up the process we will get the details of our mounted image which comes in the mapped images section. It provides us with some basic information regarding Drive, Method, Partition, Image locations, etc.

If we want we check the integrity information we can do so by checking or monitoring this drive physically by reaching this drive location to validate that data information and start our investigation.

These are different ways in which we can mount a forensic image window to help investigators. For a better analysis of the evidence, it will help them in their investigation process.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Forensic Investigation of Social Networking Evidence using IEF

In this article, we will learn about this amazing forensic tool called Magnet Internet Evidence finder (Magnet IEF) which is used to recover or extract evidence from the various data source of the system and then integrate them into a single case file for analysis and reporting.

Table of Content

  • Introduction
  • Features of Magnet IEF
  • From Drives
  • From Files & Folders
  • From Images
  • From Volume Shadow Copies

Introduction

Magnet Internet Evidence finder was developed by some former police officers and forensic experts who come to know there is a need for user-friendly and easy to use the software. It is a comprehensive tool to perform task regarding the digital forensic investigation.

We can say that Digital forensic professionals around the world were heavily relied on the Magnet IEF to help them in their digital investigation process.

We can download Magnet IEF from here.

Features of Magnet IEF

There are three basic features in this tool

  • Find
  • Analyze
  • Report

Find: There are many artifacts in the system, IEF can parse these artifacts from the system and enable us to quickly dive into evidence. It can crave data from fragmented files it can recover evidence from the unallocated spaces that are not sequential. It has features to Identify unknown apps these apps might have a potential chat database with dynamic apps and it gets its monthly updates so it continues to collect evidence from new applications as well.

Analyze: IEF can quickly drill down into the systems to find evidence with filters, keyword searches, timelines, etc. and this allows us to receive evidence in the user-friendly format so that we can easily analyze those layouts. It also provides us with the feature to view all evidence in one view and it can find out the relevant photographs by matching their hash values.

Report: IEF creates an easy to understand and navigate HTML report from any file selected within the viewer along with listing all the found evidence. It also has the feature of a portable case with which we can create a light evidence copy for our convenience. Its timeline will help us to be organized in chronological sequence and we can export our evidence report in a variety of formats include PDF, Excel, CSV, XML, and tab-delimited formats. 

These features sum up operations we need to perform in order to find evidence in our digital investigations. Said operations include the different approaches to find evidence like a scan from drives, scan from files and folders, scan from the forensic image, scan from volume shadow copies and scan from mobile.

FROM DRIVES

Firstly, we follow the approach to find or search for evidence in the drives. In the Search from drive approach Magnet IEF will search in the particular drives which we select for finding evidence. We select the whole drive or a particular partition which we select.

So, once we click on the DRIVE button we need to select a partition or drive we want to scan/search for the evidence.

In the next step, it shows the partition we select and the un-partitioned space of the drive we need to select those types and along with that the search type we want in this search for evidence after that press the Next button to move further.

Next, we can see that Magnet IEF confirms what we selected earlier by showing us all the location of the drives and files that we wish to search. After confirming all the details, click on the Next button to move ahead.

After that, it will ask for what services we are searching for, in the investigation. We can check all the services like web browsers, Social networking sites and applications, file formats, connections, services, etc. We can also check all at once or check/select them one by one as per our preference of the scan. After selecting the services press Next button.

Then, we need to specify the destination path of our report and for that provide folder name in which our reports will be saved. Along with that, some specific case information’s like a case number, examiner name, evidence’s info must also be entered. We can also add our agency logo in our report, some notes regarding our forensic investigation. We can also provide some keywords that might give us an edge in our investigation as this tool also searches for keywords to make it much more convenient for the user. After specifying the details that we must to provide, press the Find Evidence button.

After this, you will see two popups; first popup will show you the progression of your scan like which part is under scanning right now, how many files it needs to process, the time elapsed of current search and total search, the progression of current search and total search. You can also see the detailed view of the working of our Data processers by clicking on the Show Details button and wait patiently for completing its process.

The second popup will show you its report viewer which will further tell you every detail that it captures during the scan. For instance, in the image below, it shows all the details of our services. Like every other report viewer in the market, it provides us basic features such as alerts, bookmarks, chats, filter, search, etc.

Once all files get processed and the data processor completes its work the search status will signal us green indicating the completion of the work. After this, you can click on the Show Summary button if we want to see the summary of our search.

Thus, the case summary will pop-up. It just a regular notepad file with all the required information regarding our search in a compact and impactful manner.

If we check the Report Viewer and view its timeline feature it will display all the details of the services as we can see in the image below that our Firefox Cookies will expire on 2029 and, similarly, details about all other services.

 

From Files & Folders

This approach of searching evidence is quite similar to searching for evidence from drives. In the drive, it will take a storage partition or whole drive and run the search, to find evidence during the investigation process.

But in Files & Folders, we need to select the exact folder or files in which we want to scan for our evidence in the investigation process.

These both are quite same in the selection and process of searching for evidence. We can use the same tactics which we are using in the drive’s scan but instead of selecting the partition, we need to select files of the system and its approach of scanning remain the same. It will try to find evidence from file to file until the process completes its task.  

The resulting pattern is the same as above and the Report viewer repeats every step like timeline, evidence report, etc.

From Images

In this scenario, we have fully captured the forensic image. To find evidence, from this image, we need to click on the Image in Magnet IEF. Through this approach, we can find evidence in this forensic image.

After this, we need to browse the image in the system in order to find evidence through that and then press the Open button to open this image in the software.

Then we need to select a search type of the scan, whether we want to scan the full forensic image or just a part of it. After selecting all the details of the scan press OK button to move further in the process.

Then after Magnet IEF try to confirm all the details which we provided earlier and if there is no issue we found in the details then press Next, to move further in the scan.

After selecting all the details it follows the same tactics as “Drive”. We need to specify every service that we want to include in our investigation process. After this it will ask for case details and destination path for our evidence report.

The evidence report will list all evidence found in the forensic investigation. We can filter the alerts, specify the alerts, bookmarks all the alerts we found in our evidence report. We can also see the timeline of the alerts and evidence.

Image scan helps us to find evidence in such a system, without actually acquiring the system. Which is very handy in the Digital Forensic for the Investigation.

From Volume Shadow Copies

Volume shadow copies formally known as a shadow copy. It is a service introduced by Microsoft in Windows OS. It has to create backup copies or snapshot of the computer files and drives, even when they are in use.

It requires either windows NTFS or ReFS files, to create and store shadow copies. It can create a local and external volume in any windows system that uses these services, like creating such scheduled windows backup or automatic system restore point.

With the help of Magnet IEF, we can also find the potential evidence from volume shadow copies. So to start this process we need to select the Volume Shadow Copies button to move ahead in the investigation.

After this, it will ask if you find out from drives or images. All processes remain the same except the scenario of scanning. One follows the scan in drives and the other follows the scan from the image.

Both try to find evidence through the same technique. If we understand the first we can crack our way in the second.

After selecting a scan scenario, choose the drive and then the partition you want to scan. And then, press the OK button to move ahead.

Now, it requires some basic details, which we need to specify like case details, destination path, services. We will use these for searching for evidence. Quite similar to all the other scans, which we performed earlier.

Report viewer will generate the report for us so that one can understand the results of the investigation in a much convenient way. The process will remain the same in the image scan.

The Magnet IEF also provides us with the HELP function, which gives us the edge to understand every service and operations. By using that we will understand every function in a much comfortable way.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Multiple Ways to Create Image file for Forensics Investigation

In this article, we will learn how to capture the forensic image of the victim’s hard drives and systems to get help in the investigation. There are multiple ways to do that work and these tools will help us a lot in the process of an investigation so let’s start this process.

Table of Content

  • Introduction
  • What is a Forensic image?
  • FTK Imager
  • Belkasoft Acquisition Tool
  • Encase Imager
  • Forensic Imager

Introduction

In today’s digital era, the indulgence of devices is increasing more and more and with-it cybercrime is also on the rise. When such a crime occurs, the hard drive becomes an important part as it is crucial evidence. Therefore, during investigation one cannot directly perform various tasks on the hard drive as it is considered tempered. Also, one can lose data by mistake while performing tasks on it. Hence, the necessity of disk image. Now that we have understood the importance and use of disk image, let us now understand that what exactly a forensic image is.

What is a Forensic image?

A Forensic image is an exact copy of hard drive. This image is created using various third-party tools which can easily capture the image of a hard drive bit by bit without changing even a shred of data. Forensic software copies data by creating a bitstream which is an exact duplicate. The best thing about creating a forensic image is that it also copies the deleted data, including files that are left behind in swap and free spaces. Now that we have understood all about the forensic imaging, let us now focus on the practical side of it. We will learn and understand how to create such image by using five different tools which are:

  1. FTK Imager
  2. Belkasoft acquisition tool
  3. Encase imager
  4. Forensic imager

FTK Imager

FTK imager can create an image and paging file for windows; along with capturing volatile memory for analysis purpose.

We can download FTK imager from here

After installing the FTK imager we can start by creating an image and to do so, we have to go to the file button and from the drop-down menu, select the Create Disk Image option.

After selecting the create disk image it will ask you the evidence type whether i.e. physical drive, logical drive, etc. and once you have selected the evidence type then press the next button to move further in the process.

Now it will ask for the drive of which you want to create the image. Select that drive and click on Finish button.

Now, we need to provide the image destination i.e. where we want our image to be saved. And to give the path for the destination, click on Add button.

Then select the type you want your image to be i.e. raw or E01, etc. Then click on Next button.

Further it will ask you to provide details for the image such as case number, evidence number, unique description, examiner, notes about the evidence or investigation. Click on Next button after providing all the details.

After this, it will ask you for the destination folder i.e. where you want your image to be saved along with its name and fragment size. Once you fill up all the details, click on the Finish button.

And now the process to create the image will start and it will simultaneously inform you about the elapsed time, estimated time left, image source, destination and status.

After the progress bar completes and status shows Image created successfully then it means our forensic image is created successfully .

And so, after the creation of the image you can go to the destination folder and verify the image as shown in the picture below :

Belkasoft Acquisition

Belkasoft Acquisitiontool formally known as BAT. This tool can create images of hard drives, Removable drives, Mobile devices, Computer RAM memory, cloud data. The acquired image can be analyzed with any third-party tool.

We can download the belkasoft Acquisitiontool from here

Once the dialogue box opens, click on Drive option.

Now, it will show you all the drives available. From these options select the one drive whose image you want to create and then click on Next button.

After selecting the drive, we need to provide the destination path along with the format of image and hash algorithm for the checksum. We can also choose whether to split image or not. And then click on the Next button.

The process of creating the image will start as you can see from the picture below :

Once the process is complete and the image is created, click on the Exit button.

To verify the image, go to the destination folder and access it as shown in the picture below :

Encase Imager

Another way to capture image is by using Encase tool. We can download Encase imager from here

To start the process, firstly, we need to give all the details about the case. And then click on Finish button.

After that, we need to choose the hard drive whose image we want to create. Once you have selected the drive, click on Next button.

Now, select the specific drive whose image you want to create as shown in the picture below and click on Next button.

Then after selecting all the things it asking us to review all the details which were given. Once review is done, click on Finish Button.

After that, right-click on the chosen driven and then select the Acquire option from the drop-down menu.

After this select the add to case option and then click on Next button.

After this, give the name, number and other details for your image. Then click the finish button.

After clicking on the finish button, you can observe that on the right-hand side, the lower section of the encase window will show the status of the process.

 

After everything is done, it will show you all the details like status, start time, name, process id, destination path, the total time for the whole acquiring image, images hashes. And then at last, you can click on OK.

 

Once the image is created, you can see that Encase uses E01 format while creating an image and further splits it into multiple parts as shown in the picture below:

Forensics Imager

Another way to capture an image is by using forensic imager. We can download Forensic imager from here.

To start the process, click on Acquire button as shown in the image.

Next, it will ask you the source to acquire image.

As you have given the source for the image, then it will ask you the destination details i.e. the path, format, checksum and other evidence related details. Once you fill all these up, click on Start button.

After clicking on start, you can observe that the process has begun as shown in the picture below :

After completing the process, it will show you a pop-up message saying acquisition completed. It means that our forensic image is created. In order to check we need to check the destination path to verify our forensic image.

We checked at the destination our image is successfully created and ready to be analyzed as a piece of evidence for the forensic investigation.

So, these were the five ways to capture a forensic image of a Hard drive. One should always the various ways to create an image as various times calls for various measures.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Multiple ways to Capture Memory for Analysis

In this article we will be going to learn the how to capture the RAM memory for analysis, there are various ways to do it and let take some time and learn all those different circumstances call for a different measure.

What is RAM?

RAM is short for Random Access Memory. It is referred to as the main memory of a computer which makes it quite important for a computer to run. RAM allows the user to temporarily store data in the system which one is using or is about to use. But as RAM is volatile, all the data stored in RAM will be lost as soon as the power goes out. RAM is both readable and writable which make it easy to access and user-friendly. The importance of RAM is that it makes your system faster as storing in your hard drive takes a lot of time as well as a toll on your system. RAM is also useful to save and redeem data from the system. All in all, you can conclude that RAM helps to improve the performance of your device.

Benefits for capture the memory

Capturing RAM important task as over the time investigators have realized that many types of facts can be covered in volatile memory and evidence can beneficial in an investigation and which can further allow an investigator to understand what applications were being used by a suspect or at the time of the attack. It can also be possible that remote attackers would have some stored data, tools in RAM rather than on the system.

Some tools can do that work   

Dumpit

MoonSols DumpIt it is a fusion of Windows 32 bit and Windows 64 bit in one executable, no questions are asked to the user end.

We can download the Dumpit software from here

It is a compact tool that can make it easy to save the contents of your systems RAM. It’s a console utility but no need to open command line or master a host command-line switch. Instead, all we need to do it is Only a double click on the executable is enough to generate a copy of the physical memory in the current directory.

As we can see in the above image this tool is already providing us with the destination of the image that we are going to create by this process and asking us at the user end we want to continue or not.

If we want to continue then we have to press “y”.

If we start the process then after completing the process it shows the message if we got succeeds it shows the message “success”.

Now we can check the path which was given by the software whether we are able to capture the RAM or not.

Now we can see that our captured memory which is known as the RAM image is successfully created.

Magnet Forensics

Magnet Forensics is a free RAM capturing or memory imaging tool which is used to capture the physical memory of suspects system, allows investigators to analyse and recover the valuable facts that are only found in the memory of the system.

We can download the software from here.

Magnet Ram capture has a small memory footprint, that means investigator can run the tool while data is overwritten in memory. We can capture memory data in Raw (.DMP/.RAW/.BIN) format and easily analyse them.

This image can be used as evidence in the forensic investigation. Some evidence that can be found in the RAM is processed, a program running on the system, network connections, evidence of malware intrusion, registry hives, usernames & passwords, decrypted files and keys etc.

Now we can start the Ram capturing process by just executing the software by clicking on it.

Now we can see that our captured memory which is known as the RAM image is successfully created.

As we can see in the above image we have to provide the name of memory image and the format in which we want to capture the memory image.

After providing the above details now our process of capturing the memory image is started it depends on the size of the memory how much time it takes to complete the process.

After completing the process, it shows a pop-up message which indicates the process is successful and provides us the path location were our captured memory is located which we were provided earlier by us.

Now we can check our located path whether our memory image got generated or not as we can see in the above image that our image is successfully created now, we can analyse that memory image.

Access data FTK imager

FTK imager can create the live memory image and paging file for both windows 32bit and 64bit systems. We can download the FTK imager from here and install in our system. The main purpose of building the FTK imager is to process and index data upfront and try to eliminate wasted time for searches to execute. No matter how many different data we are dealing with or amount of data we have to go through, FTK get us their quicker and better than anything else. Download Here

Now start the software of the access data FTK imager

Now to start we need to click on the file button as shown in the above image.

After clicking on the file button our screen would look like this. Now we need to search the capture memory button and click on that button for the start of the capture memory process.

After that now we need to provide some information regarding that image like the destination path of the memory image, the file name of the memory image and we want to include its page file and AD1 file or not.

After providing that information it shows that our process got started along with that it also consistently the status of our process and the final destination or path was our image going to save.

After completing its shows, us the message which says “Memory capture finished successfully” and our memory image location or destination.

Now we are going to check on that location whether our image is saved or not, but as we can see in the above image that we were able to capture the memory image successfully.

Belkasoft Live RAM Capturer

It is a free forensic tool to reliably extract all content of the system volatile memory, even if it was protected by some active anti-debugging system. Were its separate 32bit and 64bit builds are available to minimize the tool footprint as much as possible.

Memory dumps captured with Belkasoft live ram capturer these live rams captured can be analyzed with any RAM analysis software.

But First, we need to download Belkasoft Live RAM capturer from here and install in our system.

Then open this software and select the path where we want to save our memory image and Click on the capture button.

After providing all the details it starts to load its drivers to start the process of capturing the memory image, now it shows the active live progression of the task given by us to capture the memory image.

After completing the overall process, it completes it’s active progression by touching on the right side of its wall and provide us some sneak peeks of our captured memory and suggests to us its image analyser from belkasoft and also provides its link to download it.

Now we need to check whether our memory will be captured or not. As we can see in the image given below, we succeed in our process.

These are some ways or tools to capture the live memory image for analysing it for searching some evidence through it to help in the investigation of an investigator in his cases.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.