I’m writing this post more for personal knowledge management (i.e. “so I have an easy place to look it up later”) than for other folks. But if it comes in handy, so much the better. And I based most of it on someone else’s work, but you never know when other blogs will disappear or become unavailable.
So, when I create a forensic image of a drive, I nearly always use dcfldd. Occasionally, I’ll use FTK Imager, but I still output to dd (raw) rather than any proprietary format. I do this largely because everything works with it. Today’s work points this up perfectly. I needed to look for a small set of hash values in a file system: that is, given an MD5 hashes, do any files match the “known bad” stuff? (The set is small enough that hfind is overkill.) For various reasons, I needed to do this without using a commercially licensed forensic suite like FTK. I generally use SIFT or, rarely, Helix in these sorts of situations. The below example assumes that you’re working with a target NTFS file system.
This seems simple enough: just mount the image:
ntfs-3g /media/sda/image.dd /media/image -o ro
Unforunately, the first line doesn’t work, since the image.dd contains a full disk, not a volume. So as it turns out, you can more or less handle this via losetup and the –offset parameter. I run the first losetup just to make sure of the next available loop device. I’m assuming loop0, but in a live CD environment it might be loop1 instead.
losetup -a losetup /dev/loop0 /media/sda/image.dd fdisk /dev/loop0
Here, you’ll enter “u” to change to sector units. Once you print the partition table, just find the starting sector for the partition in question and multiply by 512 to get the offset in bytes.
losetup -d /dev/loop0 mount -t ntfs -o ro,loop,offset=$OFFSET /media/sda/image.dd /media/image md5deep
You can also replace the last few lines with another losetup followed by mount or ntfs-3g if required. Now just run your md5deep or whatever other filesystem-level analysis task:
md5deep -r /media/image > /media/sda/image.md5 grep $HASHVALUE /media/sda/image.md5
(Thanks to @syntaxerr66 for pointing out that last mount command rather than having to issue “losetup –offset $OFFSET ; mount”.)