acquiring e01 images using linux ubuntu 12.04
DESCRIPTION
Article on conducting media acquisition of E01 Images Using Linux Ubuntu 12.04TRANSCRIPT
Acquiring E01 Images Using Linux Ubuntu 12.04
Carlos Cajigas MSc, EnCE, CFCE, CDFE, A+
When it comes to media acquisition using Linux, tools like Raptor and Paladin are hard
to beat. These tools are able to boot the computer and acquire the internal devices all while
write-blocking the devices. If a GUI acquisition tool for Linux is what you need then look no
further, Guymager is it. But if you want total control of the acquisition process the programs
contained in ewf-tools provide you just that, control.
Ewf-tools is a collection of tools for reading a writing ewf (expert witness format) files.
The expert witness format file, also known as the E01 file is a format owned by Guidance
Software containing a bitstream of an acquired disk, case information, checksums for every
block of 64 sectors, and a footer with an MD5 hash for the entire bitstream.
When you install ewf-tools you are given access to the following programs: ewfacquire,
ewfacquirestream, ewfexport, ewfinfo, and ewfverify. Ewfacquire and ewfacquirestream are
used for acquisition/imaging of devices. Ewfexport is used to export media data stored in the
E01 image. Ewfinfo shows the metadata stored in the image. And last, but not least, when
you need to verify your E01, ewfverify can do it. We will discuss ewfacquire, ewfinfo and
ewfverify. The Backtrack live DVD comes bundled with ewfacquire, but for the purposes of
this article I used an examination computer with Ubuntu 12.04 installed on it.
The goal:
The plan is to acquire/image a piece of media. We will use ewfinfo to look at the
metadata in the image, and lastly we use ewfverify to make sure that our image is valid and
matches the data contained in the media.
Installing the tools:
All of the tools that we will use are either included in Ubuntu by default, or can be
downloaded from the Ubuntu Software Center. The tools that we will need to accomplish the
task are md5sum and ewf-tools. Md5sum is included by default, so let's head over to the
Ubuntu Software Center for the other tool(s).
Click on the Dash Home circle, located on the top left of your screen, type in “software”
and click on the Ubuntu Software Center icon that will appear.
After the Ubuntu Software Center opens, you will see a search box on the top-right
corner of your screen. Type ewf-tools and click on the install button. You will be prompted for
your root password. Enter your root password and wait for the program to install.
Once ewf-tools is installed, close the Ubuntu Software Center. The next step is to
prepare a working folder for our files. Go to your desktop, right click on your desktop and
select “create new folder”, name it “Test”.
The Test:
For the procedures I will be using a 256MB Flash Drive. I chose a smaller device so
that we can complete the procedures in less time. The procedures should be the same
regardless of the size of the media that you are acquiring. Also, it should not matter what
data is contained in your media. The only thing that matters is that when we are done
acquiring and validating the image, your media and image should have matching md5's.
I connected the drive to a previously validated usb hardware write-blocker and then
connected the write blocker to a usb port on my examination computer.
If you do not have a write-blocker handy, you do not have to use one, just remember to
never connect evidence media to a computer without the use of a previously validated write-
blocking procedure.
Make sure your test media is inserted into the computer and open a Terminal Window.
In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the
Dash Home and typing in “terminal.”
Once the terminal window is open, Type the following into the terminal to determine
which letter Ubuntu assigned to the test media.
sudo fdisk -l
Fdisk is a partition table manipulator for Linux. The flag -l tells fdisk to list the partition
table. Sudo gives fdisk superuser privileges for the operation. Press enter and type your root
password (if needed)
Ubuntu assigned the test media as SDB. SDB1 is the partition currently stored on the
media. Now that we know the media's drive assignment, type the following into the terminal
to conduct and MD5 sum of the media.
sudo md5sum /dev/sdb
Depending on the size of your media, the md5sum may take minutes or hours. It only
took two minutes to receive results for my 256MB drive. These are my results.
The MD5 of the media is 2d0dc508fe22d4e54a09d53a73ea99cb. Take a moment to
write it down or copy it to a txt file inside of the Test folder on your Desktop. Save the MD5 in
case you have to refer back to it at a later time. I went ahead and copied it to the Test folder
into a txt file named 256MbImage.MD5.txt.
Now navigate to the previously created Test folder on the desktop. We will use the CD
command to change directory into the desktop. Type the following into the terminal.
cd /home/carlos/Desktop/Test/
Replace “carlos” with the name of the user account you are currently logged on as.
After doing so, press enter.
carlos@XPS-M1330:~$ cd /home/carlos/Desktop/Test/
carlos@XPS-M1330:~/Desktop/Test$
The dollar sign after Test indicates that “Test” is your current directory, exactly what we
wanted. The command pwd prints the path of current directory. Type pwd and press enter.
Sweep and copy the path of your directory. We will be pasting this path into ewfacquire so
that we can direct the acquisition to the Test folder.
carlos@XPS-M1330:~/Desktop/Test$ pwd
/home/carlos/Desktop/Test
carlos@XPS-M1330:~/Desktop/Test$
Now it's time to call ewfacquire. Type the following into the terminal to point
ewfacquire to the physical media that we intend to acquire. Press enter and type your root
password (if needed).
sudo ewfacquire /dev/sdb
Ewfacquire opens and immediately asks you for a path to store the image. This is
where you will paste the path to the Desktop plus an image filename
(/home/carlos/Desktop/Test//256MbImage).
After pressing enter, you will be allowed to enter the case number, description,
evidence number, examiner name, and notes. You will be allowed to type the information into
these fields one at a time, pressing enter to fill in the following field. If you make a mistake,
press “ctrl” and “c” at the same time to exit the acquisition and start again.
The next set of options are media type, media characteristics, compression, EWF file
format, start to acquire at offset, the amount of bytes to acquire, evidence segment file size in
bytes, the amount of bytes per sector, the amount of sectors to read at once, the amount of
sectors to be used as error granularity, the amount of retries when a read error occurs, and
wipe sectors on read error.
Ewfacquire offers defaults for each one of these options. Here is where you can
decide to change the defaults or leave them. I only changed, “media characteristics” from
logical to physical and “use compression” from none to best. I changed these options by
typing in the words “physical” and “best.”
Ewfacquire will give you one last chance to see the acquiry parameters provided,
followed by, continue acquiry with these values (yes, no) [yes]: Yes is the default. Simply
press enter and the acquisition will begin.
When the imaging is complete, ewfaquire will provide you with the MD5 hash that was
calculated over the test media:
Notice, the MD5 matches the MD5 that we previously conducted over test media
/dev/sdb.
Now type “ls -lh” into the terminal and press enter, to see if the acquired image is in the
Test folder. LS is the list files command. The flag -l uses a long listing format, and the flag -h
prints the file's size in human readable format.
Yes, we have an E01 image inside of the test folder. My image compressed down to
462KB.
Now lets use ewfinfo to look at the metadata inside of the E01. Type the following into
the terminal followed by enter.
ewfinfo 256MbImage.E01
Ewfinfo prints the metadata contained inside of the E01.
Now lets use ewfverify to verify the integrity of the image and to compare the contents
of the image to the data on the test media. Type the following into the terminal followed by
enter.
ewfverify 256MbImage.E01
Ewfverify Success! We have matching MD5's. The acquisition and verification were
successful.
Conclusion:
These tools when used separately, give you complete control of the imaging and
verification of your acquired images.
If these procedures worked for your case, and you are able to use them in the course
of your investigation, we would like to hear from you. Please post your comments or email
the author of this article [email protected].