hacktricks/forensics/basic-forensic-methodology/image-adquisition-and-mount.md



<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>


# Acquisition

## DD

```bash
#This will generate a raw copy of the disk
dd if=/dev/sdb of=disk.img
```

## dcfldd

```bash
#Raw copy with hashes along the way (more secur s it checks hashes while it's copying the data)
dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<chunk size> hashlog=<hash file>
dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes
```

## FTK Imager

You can [**download the FTK imager from here**](https://accessdata.com/product-download/debian-and-ubuntu-x64-3-1-1).

```bash
ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --description 'A description' --examiner 'Your name'
```

## EWF

You can generate a dick image using the[ **ewf tools**](https://github.com/libyal/libewf).

```bash
ewfacquire /dev/sdb
#Name: evidence
#Case number: 1
#Description: A description for the case
#Evidence number: 1
#Examiner Name: Your name
#Media type: fixed
#Media characteristics: physical
#File format: encase6
#Compression method: deflate
#Compression level: fast

#Then use default values
#It will generate the disk image in the current directory
```

# Mount

## Several types

In **Windows** you can try to use the free version of Arsenal Image Mounter ([https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)) to **mount the forensics image**.

## Raw

```bash
#Get file type
file evidence.img 
evidence.img: Linux rev 1.0 ext4 filesystem data, UUID=1031571c-f398-4bfb-a414-b82b280cf299 (extents) (64bit) (large files) (huge files)

#Mount it
mount evidence.img /mnt
```

## EWF

```bash
#Get file type
file evidence.E01 
evidence.E01: EWF/Expert Witness/EnCase image file format

#Transform to raw
mkdir output
ewfmount evidence.E01 output/
file output/ewf1 
output/ewf1: Linux rev 1.0 ext4 filesystem data, UUID=05acca66-d042-4ab2-9e9c-be813be09b24 (needs journal recovery) (extents) (64bit) (large files) (huge files)

#Mount
mount output/ewf1 -o ro,norecovery /mnt
```

## ArsenalImageMounter

It's a Windows Application to mount volumes. You can download it here [https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)

## Errors

* **`cannot mount /dev/loop0 read-only`** in this case you need to use the flags **`-o ro,norecovery`**
* **`wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.`** in this case the mount failed due as the offset of the filesystem is different than that of the disk image. You need to find the Sector size and the Start sector:

```bash
fdisk -l disk.img 
Disk disk.img: 102 MiB, 106954648 bytes, 208896 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00495395

Device        Boot Start    End Sectors  Size Id Type
disk.img1       2048 208895  206848  101M  1 FAT12
```

Note that sector size is **512** and start is **2048**. Then mount the image like this:

```bash
mount disk.img /mnt -o ro,offset=$((2048*512))
```


<details>

<summary><strong>Support HackTricks and get benefits!</strong></summary>

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!

Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)

Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)

**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**

**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

</details>
Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`


fix mess 2022-05-01 14:41:36 +02:00			`# Acquisition`
GitBook: [master] 5 pages modified 2021-01-05 14:06:39 +01:00
fix mess 2022-05-01 14:41:36 +02:00			`## DD`
GitBook: [master] 5 pages modified 2021-01-05 14:06:39 +01:00
			```bash
			`#This will generate a raw copy of the disk`
			`dd if=/dev/sdb of=disk.img`
			```

fix mess 2022-05-01 14:41:36 +02:00			`## dcfldd`
GitBook: [master] 5 pages modified 2021-01-05 14:06:39 +01:00
			```bash
			`#Raw copy with hashes along the way (more secur s it checks hashes while it's copying the data)`
			`dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<chunk size> hashlog=<hash file>`
			`dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes`
			```

fix mess 2022-05-01 14:41:36 +02:00			`## FTK Imager`
GitBook: [master] 5 pages modified 2021-01-05 14:06:39 +01:00
			`You can [download the FTK imager from here](https://accessdata.com/product-download/debian-and-ubuntu-x64-3-1-1).`

			```bash
			`ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --description 'A description' --examiner 'Your name'`
			```

fix mess 2022-05-01 14:41:36 +02:00			`## EWF`
GitBook: [master] 5 pages modified 2021-01-05 14:06:39 +01:00
GitBook: [#2876] save 2021-11-30 17:46:07 +01:00			`You can generate a dick image using the[ ewf tools](https://github.com/libyal/libewf).`
GitBook: [master] 5 pages modified 2021-01-05 14:06:39 +01:00
			```bash
			`ewfacquire /dev/sdb`
			`#Name: evidence`
			`#Case number: 1`
			`#Description: A description for the case`
			`#Evidence number: 1`
			`#Examiner Name: Your name`
			`#Media type: fixed`
			`#Media characteristics: physical`
			`#File format: encase6`
			`#Compression method: deflate`
fix mess 2022-05-01 14:41:36 +02:00			`#Compression level: fast`
GitBook: [master] 5 pages modified 2021-01-05 14:06:39 +01:00
			`#Then use default values`
			`#It will generate the disk image in the current directory`
			```

fix mess 2022-05-01 14:41:36 +02:00			`# Mount`
GitBook: [master] 5 pages modified 2021-01-05 14:06:39 +01:00
fix mess 2022-05-01 14:41:36 +02:00			`## Several types`
GitBook: [master] one page modified 2021-04-01 23:44:54 +02:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 13:21:18 +02:00			`In Windows you can try to use the free version of Arsenal Image Mounter ([https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)) to mount the forensics image.`
GitBook: [master] one page modified 2021-04-01 23:44:54 +02:00
fix mess 2022-05-01 14:41:36 +02:00			`## Raw`
GitBook: [master] 5 pages modified 2021-01-05 14:06:39 +01:00
			```bash
			`#Get file type`
			`file evidence.img`
			`evidence.img: Linux rev 1.0 ext4 filesystem data, UUID=1031571c-f398-4bfb-a414-b82b280cf299 (extents) (64bit) (large files) (huge files)`

			`#Mount it`
			`mount evidence.img /mnt`
			```

fix mess 2022-05-01 14:41:36 +02:00			`## EWF`
GitBook: [master] 5 pages modified 2021-01-05 14:06:39 +01:00
			```bash
			`#Get file type`
			`file evidence.E01`
			`evidence.E01: EWF/Expert Witness/EnCase image file format`

			`#Transform to raw`
			`mkdir output`
			`ewfmount evidence.E01 output/`
			`file output/ewf1`
			`output/ewf1: Linux rev 1.0 ext4 filesystem data, UUID=05acca66-d042-4ab2-9e9c-be813be09b24 (needs journal recovery) (extents) (64bit) (large files) (huge files)`

			`#Mount`
			`mount output/ewf1 -o ro,norecovery /mnt`
			```

fix mess 2022-05-01 14:41:36 +02:00			`## ArsenalImageMounter`
GitBook: [master] 2 pages modified 2021-05-28 19:29:30 +02:00
			`It's a Windows Application to mount volumes. You can download it here [https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)`

fix mess 2022-05-01 14:41:36 +02:00			`## Errors`
GitBook: [master] 5 pages modified 2021-01-05 14:06:39 +01:00
			* `cannot mount /dev/loop0 read-only` in this case you need to use the flags `-o ro,norecovery`
			* `wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.` in this case the mount failed due as the offset of the filesystem is different than that of the disk image. You need to find the Sector size and the Start sector:

			```bash
			`fdisk -l disk.img`
			`Disk disk.img: 102 MiB, 106954648 bytes, 208896 sectors`
			`Units: sectors of 1 * 512 = 512 bytes`
			`Sector size (logical/physical): 512 bytes / 512 bytes`
			`I/O size (minimum/optimal): 512 bytes / 512 bytes`
			`Disklabel type: dos`
			`Disk identifier: 0x00495395`

			`Device Boot Start End Sectors Size Id Type`
			`disk.img1 2048 208895 206848 101M 1 FAT12`
			```

			`Note that sector size is 512 and start is 2048. Then mount the image like this:`

			```bash
			`mount disk.img /mnt -o ro,offset=$((2048*512))`
			```

Ad hacktricks sponsoring 2022-04-28 18:01:33 +02:00

			`<details>`

			`<summary><strong>Support HackTricks and get benefits!</strong></summary>`

			`Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`

			`Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`

			`Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`

			`Join the [💬](https://emojipedia.org/speech-balloon/) [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/carlospolopm).`

			`Share your hacking tricks submitting PRs to the [hacktricks github repo](https://github.com/carlospolop/hacktricks).`

			`</details>`