Recently I’ve been doing a lot of imaging and mounting different image format types. Xmount(1) has been very handy and not something I’ve used a lot in the past. Xmount can do DD, EWF (Expert Witness Compression Format), or AFF. While mount disks haven’t changed a lot, having a combined utility that can do the significant files types makes it more accessible.
Xmount can output in several different file types: “raw”, “dmg”, “vdi”, “vhd”, “vmdk”, “vmdks”. Many Linux-based tools need to have a raw or dd style image to read; xmount can easily do this. Mounting an OSX DD image as a DMG is an easy way to open up Filevault volumes. Just double-click the DMG file, input the password, and it’s mounted.
Depending on what you need to do with the image, booting it might be the fastest way to complete this. Make sure that you are using a write-blocker or backup copy to prevent changes to the system.
#apt-get install xmount
#xmount –in ewf –out vmdk –cache /tmp/disk.cache
#xmount –in ewf ./file.E01 –out vmdk –cache /tmp/disk.cache /tmp/ewf/
Now you should have a VMDK file in /tmp/ewf. You can now add this file as a disk to an existing Vmware Machine or create a new virtual machine and boot off it.
Any other new forensics tools you have run across recently that makes life easier for forensicators? Leave a comment.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.