Jump to content











Photo
- - - - -

Mounting Windows 8.1 disk from EWF

imdisk windows 8.1 inaccessible

  • Please log in to reply
45 replies to this topic

#1 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 15 April 2014 - 01:25 PM

Hi,

 

I have acquired a disk in the EnCase Witness Format (EWF). With the help of another tool, I'm able to mount the EWF file so that it appears as one large file. When I use imdisk to mount a partition from this large Raw disk, this works perfectly. 

 

However, now I'm not able to mount the Windows 8.1 partition... No error is generated, and the disk appears in Windows as a 'Local Disk', but I can't open the partition:

 

'Y: is not accessible. The parameter is incorrect.'

 

I can view the disk contents in EnCase. I suspect it has something to do with the way Windows 8.1 not really unmounts the partition when the system shuts down (in reality it probably hibernates).

 

Any ideas how to solve this?

 

Thanks in advance,

 

 



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14713 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 15 April 2014 - 01:40 PM

Don't use IMDISK. :w00t:

BUT do use IMDISK ;):

http://www.osforensi...isk-images.html

The above is a particular driver derived from IMDISK that can access EWF (.E01 images).

 

:duff:

Wonko



#3 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 15 April 2014 - 02:20 PM

Don't use IMDISK. :w00t:

BUT do use IMDISK ;):

http://www.osforensi...isk-images.html

The above is a particular driver derived from IMDISK that can access EWF (.E01 images).

 

:duff:

Wonko

 

I have used OSFMount in the past, but had some stability problems (mainly with unmounting disks). I gave it another go with OSFMount (was using an older version as well). However, the same problem occurs here: the disk is not accessible... 

Thanks for the suggestion anyway; I may rewrite some code to use OSFMount instead of the separate processes for mounting the EWF files and the resulting RAW disk. It does make my life easier :).

 

Anyone have other suggestions to why the disk is (still) inaccessible?



#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14713 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 15 April 2014 - 02:45 PM

Anyone have other suggestions to why the disk is (still) inaccessible?

There are some issue with 8/8.1 NTFS filesystems on GPT disks, that have not been fully understood/solved:

http://www.forensicf...wtopic/t=11431/

http://www.forensicf...572275/#6572275

(but cannot say if connected to your issue or not)

 

Which OS are you running?

Is it a MBR or a GPT disk?

If you have a "plain" dd image you can try having a look at it in DMDE:

http://dmde.com/

and see if it can access the volume.

 

Another idea would be to NOT use IMDISK :w00t:, nor OFSMount, but use (by the same Author of IMDISK) the Arsenal Mounter:

http://www.forensicf...569512/#6569512

http://arsenalrecon..../image-mounter/

 

 

:duff:

Wonko



#5 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 15 April 2014 - 03:27 PM

Which OS are you running?

Is it a MBR or a GPT disk?

If you have a "plain" dd image you can try having a look at it in DMDE:

http://dmde.com/

and see if it can access the volume.

 

 

I'm running Windows 7. I may give DMDE a go tomorrow; I only have EWF files, but with the help of LIBEWF I mount the EWF images in windows so that only large RAW image appears.

 

Another idea would be to NOT use IMDISK :w00t:, nor OFSMount, but use (by the same Author of IMDISK) the Arsenal Mounter:

http://www.forensicf...569512/#6569512

http://arsenalrecon..../image-mounter/

 

 

 

This looks very interesting! I see it has libewf support as well, and there's a libewf.dll in the MountTool subfolder. Interesting.. I'll try to find out whether this tool has command line support as well.

 

 

I'll check tomorrow (don't have access to a Windows PC at home). 

 

(I'm trying to build a python script which automates a few tasks (such as extracting some keys from the registry, finding encrypted files, running some other CLI tools), and part of it means mounting some EWF files. After mounting, I can run some utilities on the mounted disk. However, this is all command line based, so the tools I use need to have CLI support). 

 

Thanks a lot for the replies!


Edited by theraven1982, 15 April 2014 - 03:28 PM.


#6 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1407 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 15 April 2014 - 07:37 PM

Yes, there is a command line tool called ArsenalImageMounterControl.exe that can be used to control things like mounting/dismounting from command line.

To mount an image through libewf.dll that tool is not enough, though. You need to host libewf.dll in a user mode process of some kind that can respond to disk requests and that stays alive as long as the virtual disk is mounted. This is what the graphical MountTool does, basically. To do the same thing on command line you could use a tool called ArsenalImageMounterService.exe. It is available as source code in the GitHub repository and I could help you building it in case you don't have Visual Studio available.

#7 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 16 April 2014 - 06:29 AM

Yes, there is a command line tool called ArsenalImageMounterControl.exe that can be used to control things like mounting/dismounting from command line.

To mount an image through libewf.dll that tool is not enough, though. You need to host libewf.dll in a user mode process of some kind that can respond to disk requests and that stays alive as long as the virtual disk is mounted. This is what the graphical MountTool does, basically. To do the same thing on command line you could use a tool called ArsenalImageMounterService.exe. It is available as source code in the GitHub repository and I could help you building it in case you don't have Visual Studio available.

 

Thanks for the reply! I do have Visual Studio available (I used it to build libewf and The Sleuth Kit with the help of a supplied Solution file, that's all I can do), but I'm not very fluent in VS. I see there's a solution available, so if it 'auto-compiles' I'm all set :).

 

I'll let you know if it worked out! Thanks for the tool and for imdisk! 



#8 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1407 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 16 April 2014 - 08:24 AM

Yes, it should be as simple as clicking "build solution" in Visual Studio 2010/2012/2013. You will get the compiled exe and dll files under bin\Release under each project directory.



#9 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 16 April 2014 - 09:28 AM

Yes, it should be as simple as clicking "build solution" in Visual Studio 2010/2012/2013. You will get the compiled exe and dll files under bin\Release under each project directory.

 

Ok, I have VS2012 Express. I opened the solutions file, but during the Build it says it cannot find Ionic.Zip. I downloaded the DotNetZipLib-DevKit-1.9 file, and added it as a reference to each project.

Now, when I try to Build it, I get the errors listed here: http://pastebin.com/q94UHuaM

 

Any ideas? It'd be really awesome if I can get it to build, as I have to mount certain partitions in EWF files, and this seems to be the most integrated solution.



#10 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1407 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 16 April 2014 - 09:40 AM

Check and see if there are any assembly references in Arsenal.ImageMounter project that need to be resolved in one way or another. You already fixed the Ionic.Zip.dll reference, I would guess that you could possibly have a similar issue with the reference to PowerShell 3.0 or something like that.
http://msdn.microsof...y/ff458115.aspx

It does not strictly need 3.0 though, it just makes use of it if it is available so that the graphical MountTool could show dialogs about offline/online disks, signature collisions and similar.

#11 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 16 April 2014 - 11:33 AM

Check and see if there are any assembly references in Arsenal.ImageMounter project that need to be resolved in one way or another. You already fixed the Ionic.Zip.dll reference, I would guess that you could possibly have a similar issue with the reference to PowerShell 3.0 or something like that.
http://msdn.microsof...y/ff458115.aspx

It does not strictly need 3.0 though, it just makes use of it if it is available so that the graphical MountTool could show dialogs about offline/online disks, signature collisions and similar.

 

Almost getting there! I installed powershell 3.0 (along with a slew of other updates... have to reboot more often..) and everything compiled without warnings/errors! 

 

I tried using the ArsenalImageMounterService.exe tool in shared memory service mode like this (copied the libewf.dll to the directory):

ArsenalImageMounterService.exe /name=AIMS /provider=LibEwf

 

This immediately returns the prompt. I see that ArsenalImageMounterTool.vshost.exe is running now. 

Now, if I try this:

* ArsenalImageMounterControl.exe /add /filename=E:\EWF.E01 /offset=1048576 it says:

Created device (format: LLTTPP hex): 000000

 

I can see in Disk Management that a disk was attached. However, the size it reports is the size of a single Evidence File, and not the size of the disk. Furthermore, I doesn't see a filesystem. 

 

So I'm guessing I'm doing something wrong... 

 

update: as expected, I did something wrong. The libewf.dll is probably x64 while I'm running x86. 

I'll install x64 and retry... 


Edited by theraven1982, 16 April 2014 - 11:40 AM.


#12 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1407 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 16 April 2014 - 11:38 AM

Sounds good. The rest of it now are probably just a couple of command line syntax tweaks needed.

Try:

ArsenalImageMounterService.exe /mount /filename=E:\EWF.E01 /provider=LibEwf

#13 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 16 April 2014 - 01:25 PM

Yes, I have faith that it'll be ok. I'm installing (and updating...) Windows 7 x64 now, so I'll have to wait on that. Tomorrow it'll be done updating, and then I'll retry compiling and using the tools. I'll update tomorrow.

 

For now: thanks a lot for the help!



#14 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14713 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 16 April 2014 - 05:23 PM

Not to gatecrash your nice programmer's only party ;), but I am a bit ( please read as "a lot" :whistling:) tough, and I would like to use this occasion to ask to Olof what is the actual reason (if one exists) for not releasing an already compiled ArsenalImageMounterService.exe ? (and of the other binaries for which the source is provided).

 

There could be people interested in the driver tools but without access to VisualStudio (which is not exactly "as available as" - say - GCC ) and/or without the actual capabilities to solve compiling issues.

 

BTW, and intended as an intentionally OFF TOPIC rant :ph34r:, I have very little experience with compiling sources, but in my - as said very limited experience - I have never found a single §@ç#ing source fileset that compiled successfully without some (obviously undocumented) tweaking of the source, or of the build environment or of both, maybe it is just me, or a coincidence, but the 100% statistical data is preoccupying, what is the practical use of something that does not work "as is" and that is not released in an already compiled version? (or that needs a specific compiler additionally setup exactly in a particular way)

 

Few people have the knowledge theraven1982 :thumbsup: just showed, and even less people among the Authors are as kind as Olof :worship: (and/or available at all)

 

:duff:

Wonko



#15 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1407 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 16 April 2014 - 05:44 PM

Not to gatecrash your nice programmer's only party ;), but I am a bit ( please read as "a lot" :whistling:) tough, and I would like to use this occasion to ask to Olof what is the actual reason (if one exists) for not releasing an already compiled ArsenalImageMounterService.exe ? (and of the other binaries for which the source is provided).
 
There could be people interested in the driver tools but without access to VisualStudio (which is not exactly "as available as" - say - GCC ) and/or without the actual capabilities to solve compiling issues.
 
BTW, and intended as an intentionally OFF TOPIC rant :ph34r:, I have very little experience with compiling sources, but in my - as said very limited experience - I have never found a single §@ç#ing source fileset that compiled successfully without some (obviously undocumented) tweaking of the source, or of the build environment or of both, maybe it is just me, or a coincidence, but the 100% statistical data is preoccupying, what is the practical use of something that does not work "as is" and that is not released in an already compiled version?
Few people have the knowledge theraven1982 :thumbsup: just showed, and even less people among the Authors are as kind as Olof :worship: (and/or available at all)


I agree and I am not in any way actively refusing to distribute a compiled version of that tool (or others)! This is more of a "didn't think about that" more than anything else!

I see the potential now in using that tool for things like scripting and I have not seen that earlier, I think. There are a couple of projects in the source tree that are primarily used as code samples for using or testing other parts of the library. Most of them are not particularly useful for any other purposes and this particular tool has for some reason been seen as one of such, more than something useful for end-users.

When we first published Arsenal Image Mounter we primarily got two kinds of requests, requests for an easy-to-use GUI and requests for API libraries. So we published MountTool GUI and an API DLL. That's basically why this command line tool never made it to the binary distribution folder, I guess.

:cheers:

#16 misty

misty

    Silver Member

  • Developer
  • 933 posts
  •  
    United Kingdom

Posted 16 April 2014 - 07:10 PM

@Olof
So the good news is that you will be releasing a pre-comiled version of the ArsenalImageMounterControl.exe (and ArsenalImageMounterService.exe)?

Fantastic!

Cheers Olof.

:cheers:

 Regards,

Misty



#17 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1407 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 16 April 2014 - 07:36 PM

ArsenalImageMounterControl.exe is already available here:
https://github.com/A...aster/MountTool

What I am about to do following discussion in this thread, is to build ArsenalImageMounterService.exe in a similar way with all dlls embedded within the exe file. It will make things easier in the case you want to mount using DiscUtils or libewf from command line. Today, you would either need to build it yourself or use DuscUtilsDevio.exe from ImDisk tools and then ArsenalImageMounterControl.exe to actually mount. Either could turn out to be quite complicated in various ways so I definitely see the point in providing a compiled version of ArsenalImageMounterService.exe as well.
  • pscEx likes this

#18 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 17 April 2014 - 09:17 AM

ArsenalImageMounterControl.exe is already available here:
https://github.com/A...aster/MountTool

What I am about to do following discussion in this thread, is to build ArsenalImageMounterService.exe in a similar way with all dlls embedded within the exe file. It will make things easier in the case you want to mount using DiscUtils or libewf from command line. Today, you would either need to build it yourself or use DuscUtilsDevio.exe from ImDisk tools and then ArsenalImageMounterControl.exe to actually mount. Either could turn out to be quite complicated in various ways so I definitely see the point in providing a compiled version of ArsenalImageMounterService.exe as well.

 

I look forward to that :).

 

At the moment I can successfully mount an EWF image as a disk with ArsenalImageMounterService /mount /filename=E:\EWF.E01 /provider=LibEwf. It's absolutely awesome! 

 

A few questions/remarks that I thought of:

* This command does not exit. Is this by design?

* Is it possible to mount a single partition, e.g. by supplying the offset? I did see that mounting EWF files that only contain a partition (no MBR, etc) does work. 

* I tried finding an option to list which partitions are mounted: e.g. to see which driveletter(s) were assigned to which partition/offset in the image. Is this possible?

* Mounting RAW disks: is this possible? I tried ArsenalImageMounterService /mount /filename=E:\RAW.001 , and it only 'mounts' the first file (which obviously results in problems)

 

 

Thanks so much again. Hope it'll make my script a bit less convoluted.. :)

 

Edit:

Oh, if anyone is interested I can do a small write-up how to compile/set this up for the people with even less experience than I have in Visual Studio. 


Edited by theraven1982, 17 April 2014 - 09:53 AM.


#19 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1407 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 17 April 2014 - 09:45 AM

I look forward to that :).
 
At the moment I can successfully mount an EWF image as a disk with ArsenalImageMounterService /mount /filename=E:\EWF.E01 /provider=LibEwf. It's absolutely awesome! 
 
2 questions/remarks:
* This command does not exit. Is this by design?


Yes, the application needs to stay open as long as the virtual disk is mounted. This is because the actual image file access is done in that application. The application will exit automatically when you remove the virtual disk, using for example ArsenalImageMounterControl.exe /remove or using the graphical MountTool.

So, you would first have something like start ArsenalImageMounterService.exe /mount /filename=... and then later an ArsenalImageMounterControl.exe /remove in your script.

Now that I am about to turn ArsenalImageMounterService into something more end-user friendly, I guess I could capture Ctrl+C Ctrl+Break and similar within the running console process and dismount the virtual disk in response to that. Otherwise, if someone simply exit the running ArsenalImageMounterService.exe in some other way, it would just leave a "dead" virtual disk drive that cannot be accessed.

* Is it possible to mount a single partition, e.g. by supplying the offset?


I don't know, but you could try of course. I have seen that Windows in most cases seem to mount the filesystem correctly even when you mount an individual partition as a complete disk.
 

Thanks so much again. Hope it'll make my script a bit less convoluted.. :)
 
Edit:
Oh, if anyone is interested I can do a small write-up how to compile/set this up for the people with even less experience than I have in Visual Studio.


That would be great. I could publish that in the GitHub repository!

#20 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14713 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 17 April 2014 - 10:19 AM

Very good. :smiling9:

 

To close the circle :w00t:, once erwan.l :worship: is back, I will remind him about making (if possible) a simpler (simplified, without the NET 4.0 bloat, and more limited because of the missing "hook" - or "whatever" - to discutils :unsure:) command line version of his GUI tool:

http://reboot.pro/to...19003-imgmount/

that would be useful for the few left dinosaurs like myself ;) and for minimalistic PE use.

 

 

 

Edit:

Oh, if anyone is interested I can do a small write-up how to compile/set this up for the people with even less experience than I have in Visual Studio. 

This would be great, though the "base" issue about "common" availability of VisualStudio would remain :(, this might help less "advanced" programmers :thumbup:.

:duff:

Wonko



#21 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 17 April 2014 - 10:55 AM

Here's a short guide:

http://pastebin.com/wfaXWYWq 

 

Mounting Raw disks gives problems. If I do it with ArsenalImageMounterService.exe /mount /filename=E:\RAW.001 , it only 'mounts'  the specified image, instead of using all RAW.* files for the complete image. It doesn't work for either Logical images or Physical Images (Raw).



#22 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1407 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 17 April 2014 - 11:02 AM

Very good. :smiling9:
 
To close the circle :w00t:, once erwan.l :worship: is back, I will remind him about making (if possible) a simpler (simplified, without the NET 4.0 bloat, and more limited because of the missing "hook" - or "whatever" - to discutils :unsure:) command line version of his GUI tool:
http://reboot.pro/to...19003-imgmount/
that would be useful for the few left dinosaurs like myself ;) and for minimalistic PE use.


Yes, that would indeed be very useful. Mounting forensics image formats (e01, ewf etc) through libewf.dll should be possible without .NET, libewf.dll is not a .NET module. Most simple and minimalistic solution would probably be to use devio.exe from ImDisk and access libewf.dll through the --dll switch. DiscUtils.dll and support for virtual machine disk formats (vhd, vdi, vhdx, vmdk etc etc) of various kinds is a somewhat more complicated thing since DiscUtils.dll is .NET in the first place.

On the other hand, devio.exe has built-in support for fixed and dynamic (but not differencing) vhd files without .NET so it is possible to use devio.exe to access vhd disks with Arsenal Image Mounter too.

The problem with things like this is that even though .NET is indeed big bloated heavy stuff, it is also extremely useful and tends to attract participating developers. Over the years, absolute majority of questions regarding integrating ImDisk in various applications have come from .NET developers. You could also see how actively developed DiscUtils.dll has turned out to be. Now, the problem with that is that such solutions are not very well suited for "minimalistic" environments such as PE and similar, where various kinds of library support could be limited. That's where I feel like an "old left dinosaur" too.

I hope that my situation with one foot in each world could help avoiding some limitations!
 

This would be great, though the "base" issue about "common" availability of VisualStudio would remain :(, this might help less "advanced" programmers :thumbup:.
:duff:
Wonko


Anything that helps! :thumbup:

Side note(s):
It somewhat disturbs me that WDK 7.1 was the last stand-alone, self-contained, etc, Windows Driver Kit vesion that could simply be downloaded and immediately used to build things with practically no prerequisites. Nowadays, WDK 8 and 8.1 are bloated Visual Studio-integrated things that are indeed very easy and intuitive to work with, but they require Visual Studio 2012 or 2013 and not only that, they need at least the Professional versions, the free Express version would not do. (I know there are workarounds like installing the trial version first, then WDK, then back to Express etc etc, but principally speaking.) In some way this feels like a step back to the old days some 10 years ago when driver development environments for Windows were expensive and simply not meant for anyone who simply wished to try some idea out. But, that's just me maybe. :)
  • ianst likes this

#23 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1407 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 17 April 2014 - 11:14 AM

Mounting Raw disks gives problems. If I do it with ArsenalImageMounterService.exe /mount /filename=E:\RAW.001 , it only 'mounts'  the specified image, instead of using all RAW.* files for the complete image. It doesn't work for either Logical images or Physical Images (Raw).


You mean that you have several files, RAW.001, RAW.002, RAW.003 etc that together form a complete raw disk image? Such are possible to mount in MountTool but currently not in ArsenalImageMounterService.exe. Thanks for pointing that out, I will add support for it there as well. It will be something like /provider=multipartraw to use such images.

#24 Olof Lagerkvist

Olof Lagerkvist

    Gold Member

  • Developer
  • 1407 posts
  • Location:Borås, Sweden
  •  
    Sweden

Posted 17 April 2014 - 11:28 AM

Here's a short guide:
http://pastebin.com/wfaXWYWq


Ah, thanks a lot! Just one thing, change "Repeat this step for each project" to "Right-click on 'ArsenalImageMounter' project etc...". You don't need to add those references to all of the projects. Only ArsenalImageMounter.dll uses them.

#25 theraven1982

theraven1982

    Newbie

  • Members
  • 18 posts
  •  
    Netherlands

Posted 17 April 2014 - 12:27 PM

You mean that you have several files, RAW.001, RAW.002, RAW.003 etc that together form a complete raw disk image? Such are possible to mount in MountTool but currently not in ArsenalImageMounterService.exe. Thanks for pointing that out, I will add support for it there as well. It will be something like /provider=multipartraw to use such images.

 

Cool :). Yes, there are multiple RAW.001, RAW.002, etc. files that form one complete disk image. Alternatively, they may form one logical partition (i.e. not a physical dump of a disk, but a logical dump). For EWF files, both physical dumps and Logical dumps work. So I'd guess it wouldn't need a complete overhaul to implement it. Having said that, I'm impressed with someone coding all of this... maybe someday I'll be able to do half of it ;)

 

Changed the description about adding references: http://pastebin.com/r1YyrQaD







Also tagged with one or more of these keywords: imdisk, windows 8.1, inaccessible

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users