reflections

reflections

About the Blog

This Blog is about different Computer Forensic methodologies. Please, think of it as a suggestion. Test your own Tools and do not believe everything you get told. Things may change and bugs are everywhere ;-)

@my4n6

Using unsupported file systems in X-Ways Forensics

Imaging and MountingPosted by @my4n6 Sun, February 04, 2018 20:17:14
As a computer forensic examiner I usually use common Software Suites. I do prefer X-Ways Forensics for most of my needs. In some cases I hit upon unsupported file systems. If I have to compare multiple evidences I do prefer not leaving the Software, so what can I do with unsupported file systems, i.e. BTRFS?

Using linux based virtual machines is what I like, unless there is no windows driver to help me import the file and folder structure into my case.

This example will show you "one" possible solution to get the logical files and folders into your case. I will use "NFS" instead of "SAMBA", because it is more "nix".
Shared Folders on Virtual Machines will work too, but if the Image is hosted somewhere else I do prefer "NFS", because it is reliable and fast.


1. Use Linux to mount the BTRFS-Image readonly:


root@VM-CAINE:~# chmod 444 BTRFS.dd

root@VM-CAINE:~# md5sum BTRFS.dd

60139fbf8cda079604367cb4b78c44f9 BTRFS.dd

root@VM-CAINE:~# mmls BTRFS.dd


DOS Partition Table

Offset Sector: 0

Units are in 512-byte sectors

Slot Start End Length Description

000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)

001: ------- 0000000000 0000002047 0000002048 Unallocated

002: 000:000 0000002048 0002097151 0002095104 Linux (0x83)

root@VM-CAINE:~# mount -t btrfs -o ro,loop,offset=$((512*2048)) BTRFS.dd /mnt/BTRFS/


Using "loop" and "offset=$((512*2048))" allows us to mount a partition at a special offset, remember offsets in "mmls" (sleuthkit) are sector based, so we have to do a little math. The "ro" option prevents manipulating the file system. I didn't find any "noload" mount option in BTRFS, so if it is needed to securely prevent journal replay and you know how to do it, send me a tweet on twitter @My4n6 and I will add it.


2. Create a NFS-Export / NFS-Share for the mountpoint:


You might have to install the nfs-kernel-server by using:


sudo apt-get install nfs-kernel-server


The next line will allow the IP-Address 192.168.178.87 to access the files and folders mounted to /mnt/BTRFS by an anon user:

echo '/mnt/BTRFS 192.168.178.87(ro,sync,anonuid,anongid)' >> /etc/exports

You need to refresh nfs by using:

root@VM-CAINE:~# exportfs

/mnt/BTRFS 192.168.178.87

3. Windows needs to be prepared for using NFS:

"NFS" ist not by standard activated under Windows, but it is simple to add this feature:

Under "Control Panel --> Programs --> Programs & Features" you can turn on Windows Features like "NFS".

4. Now mount the NFS-Share in Windows, please remind if you mount it as an administrator you won't see it as a user:

mount -o anon \\192.168.178.89\mnt\BTRFS L:

The IP-Address above belongs to my Linux-Machine hosting the mounted BTRFS.


5. Using X-Ways Forensics:


First I tried to import the BTRFS.dd Image. --> "File system unknown "

Then I added the share to my case:





and I am able to do my X-Ways Forensics "Refine Volume Snapshot" to get the cakes :-)

Yes I know I am missing deleted files, files system metadata and lot more, but at least I have the content of the files and I am able to see the file and folder structure.

If you need to present the case to someone else it makes sense to use a "X-Ways Forensics Container" and include all the files, hashes and comments etc.

6. Don't forget to unmount the NFS-Share at the end:



7. Last but not least! On Linux:

root@VM-CAINE:~# umount /mnt/BTRFS

root@VM-CAINE:~# md5sum BTRFS.dd

60139fbf8cda079604367cb4b78c44f9 BTRFS.dd

Nothing changed!