Mounting a Hard Disk with Forensic Image:

What is Mounting?

 Mounting is the process of making the contents of a disk image accessible to a file system on
a computer.

 For forensic images, mounting is done in a read-only mode to ensure no changes are made
to the evidence.

Why Mount Forensic Images?

 To analyze the structure and contents of the disk image.

 To extract files, examine directory structures, and analyze metadata.

 To validate the integrity of the image without altering original evidence.

Steps to Mount a Forensic Image

1. Prepare the Environment

 Ensure the image is available in a supported format (e.g., .dd, .img, .E01).

 Install necessary tools such as mount, loop modules, or forensic software.

2. Check the Disk Image Format

 Use the file command to identify the format:

bash

Copy code

file forensic_image.img

3. Create a Mount Point

 Create a directory where the image will be mounted:

bash

Copy code

mkdir /mnt/forensic

4. Mount the Forensic Image

 For RAW Images (e.g., .dd, .img):

 Mount in read-only mode using loop:

bash

Copy code

mount -o loop,ro forensic_image.img /mnt/forensic

 Check mounted content:

bash
Copy code

ls /mnt/forensic

 For Multi-partition Images:

 Use losetup to attach the image to a loop device:

bash

Copy code

losetup -Pf forensic_image.img

 List partitions:

bash

Copy code

fdisk -l /dev/loop0

 Mount a specific partition:

bash

Copy code

mount -o ro /dev/loop0p1 /mnt/forensic

5. For Proprietary Formats (e.g., .E01):

 Use tools like ewfmount to convert .E01 into a mountable format:

bash

Copy code

ewfmount forensic_image.E01 /mnt/ewf

 Mount the resulting raw image:

bash

Copy code

mount -o loop,ro /mnt/ewf/ewf1 /mnt/forensic

6. Unmounting the Image

 After analysis, unmount the image to prevent accidental modification:

bash

Copy code

umount /mnt/forensic

Best Practices
 1. Read-Only Mode: Always use the ro flag to prevent altering evidence.

2. Hash Validation: Verify the integrity of the image using hashing (e.g., md5sum) before and
after mounting.

3. Document the Process: Maintain detailed logs of mounting and analysis steps to ensure a
proper chain of custody.

4. Use Write-Blocking Tools: For additional security, use hardware write blockers or virtual
solutions like a write-blocking kernel module.

Applications of Mounting Forensic Images

 Metadata Analysis: Examine file timestamps and access logs.

 File Recovery: Extract deleted or hidden files for analysis.

 Timeline Reconstruction: Analyze file system activity to create an incident timeline.

 Malware Investigation: Investigate suspicious files in a controlled environment.

Hash Computation and Verification

 What is Hashing?

 Ensures file integrity.

 Common Algorithms: MD5, SHA1, SHA256.

 Commands:

 Compute Hash:

bash

Copy code

md5sum file.ext sha256sum file.ext

 Verify Hash:

bash

Copy code

echo "<hash_value> file.ext" | md5sum -c

 Example Use Case: Verifying cloned disk image integrity.

Slide 3: Checking File Extension Mismatch

 What is File Extension Mismatch?

 Detects altered or incorrect file extensions.

  Commands:

 Identify file type:

bash

Copy code

file file.ext

 Compare with extension:

bash

Copy code

ls -l file.ext

 Example Use Case: Detecting hidden malware disguised as images.

Slide 4: Keyword Searching

 Purpose:

 Extract relevant evidence using keywords.

 Commands:

 Search in files:

bash

Copy code

grep -i "keyword" file.ext

 Recursive directory search:

bash

Copy code

grep -ri "keyword" /path/to/dir

 Example Use Case: Finding sensitive terms in documents.

Slide 5: Fragmentation of Forensic Images

 What is Fragmentation?

 Splitting images into smaller chunks for handling large data.

 Commands:

 Fragmentation during imaging:

bash
Copy code

dd if=/dev/sdX bs=64M of=output.img.part bs=64M

 Merge fragments:

bash

Copy code

cat output.img.part* > full_output.img

 Example Use Case: Handling large forensic images on limited storage.

Slide 6: Ownership and Permissions

 Purpose:

 Analyze access and ownership metadata.

 Commands:

 Check permissions:

bash

Copy code

ls -l file.ext

 Change permissions:

bash

Copy code

chmod 640 file.ext

 Check ownership:

bash

Copy code

stat file.ext

 Example Use Case: Identifying unauthorized access.

Slide 7: Hidden Files

 What are Hidden Files?

 Files beginning with . in Linux.

 Commands:

 List hidden files:

bash

Copy code

ls -la

 Reveal hidden files:

bash

Copy code

find /path -name ".*"

 Example Use Case: Identifying concealed evidence.

Slide 8: User Accounts and Logs

 What to Investigate?

 User activity, session logs, and access history.

 Commands:

 Check user accounts:

bash

Copy code

cat /etc/passwd

 Analyze logs:

bash

Copy code

less /var/log/auth.log

 Example Use Case: Detecting unauthorized login attempts.

Timeline Analysis

 Purpose:

 Analyze timestamps for events (created, modified, accessed).

 Commands:

 File metadata:

bash

Copy code

stat file.ext

 Directory tree with timestamps:

bash

Copy code

ls -ltR /path/to/dir

 Automate timeline creation (Sleuth Kit):

bash

Copy code

mactime -d bodyfile > timeline.txt

 Example Use Case: Reconstructing events leading to an incident.