Acquiring E01 Images Using Linux Ubuntu 12.04
When it comes to media acquisition using Linux, tools like Raptor and Paladin are hard to beat. These tools are able to boot the computer and acquire the internal devices all while write-blocking the devices. If a GUI acquisition tool for Linux is what you need then look no further, Guymager is it. But if you want total control of the acquisition process the programs contained in ewf-tools provide you just that, control.
Ewf-tools is a collection of tools for reading a writing ewf (expert witness format) files. When you install ewf-tools you are given access to the following programs: ewfacquire, ewfacquirestream, ewfexport, ewfinfo, and ewfverify. Ewfacquire and ewfacquirestream are used for acquisition/imaging of devices. Ewfexport is used to export media data stored in the E01 image. Ewfinfo shows the metadata stored in the image. And last, but not least, when you need to verify your E01, ewfverify can do it. We will discuss ewfacquire, ewfinfo and ewfverify. The Backtrack live DVD comes bundled with ewfacquire, but for the purposes of this article I used an examination computer with Ubuntu 12.04 installed on it.
The plan is to acquire/image a piece of media, using ewfacquire. We will then use ewfinfo to look at the metadata in the image, and lastly we use ewfverify to make sure that our image is valid and matches the data contained in the media.
Installing the tools:
All of the tools that we will use are either included in Ubuntu by default, or can be downloaded from the Ubuntu Software Center. The tools that we will need to accomplish the task are md5sum and ewf-tools. Md5sum is included by default, so let's head over to the Ubuntu Software Center for the other tool(s).
Click on the Dash Home circle, located on the top left of your screen, type in “software” and click on the Ubuntu Software Center icon that will appear.
After the Ubuntu Software Center opens, you will see a search box on the top-right corner of your screen. Type ewf-tools and click on the install button. You will be prompted for your root password. Enter your root password and wait for the program to install.
Once ewf-tools is installed, close the Ubuntu Software Center. The next step is to prepare a working folder for our files. Go to your desktop, right click on your desktop and select “create new folder”, name it “Test”.
For the procedures I will be using a 256MB Flash Drive. I chose a smaller device so that we can complete the procedures in less time. The procedures should be the same regardless of the size of the media that you are acquiring. Also, it should not matter what data is contained in your media. The only thing that matters is that when we are done acquiring and validating the image, your media and image should have matching md5's.
I connected the drive to a previously validated usb hardware write-blocker and then connected the write blocker to a usb port on my examination computer.
If you do not have a write-blocker handy, you do not have to use one, just remember to never connect evidence media to a computer without the use of a previously validated write-blocking procedure.
Make sure your test media is inserted into the computer and open a Terminal Window. In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal.”
Once the terminal window is open, Type the following into the terminal to determine which letter Ubuntu assigned to the test media.
sudo fdisk -l
Fdisk is a partition table manipulator for Linux. The flag -l tells fdisk to list the partition table. Sudo gives fdisk superuser privileges for the operation. Press enter and type your root password (if needed).
Ubuntu assigned the test media as SDB. SDB1 is the partition currently stored on the media. Now that we know the media's drive assignment, type the following into the terminal to conduct and MD5 sum of the media.
sudo md5sum /dev/sdb
Depending on the size of your media, the md5sum may take minutes or hours. It only took two minutes to receive results for my 256MB drive. These are my results.
The MD5 of the media is 2d0dc508fe22d4e54a09d53a73ea99cb. Take a moment to write it down or copy it to a txt file inside of the Test folder on your Desktop. Save the MD5 in case you have to refer back to it at a later time. I went ahead and copied it to the Test folder into a txt file named 256MbImage.MD5.txt.
Now navigate to the previously created Test folder on the desktop. We will use the CD command to change directory into the desktop. Type the following into the terminal.
Replace “carlos” with the name of the user account you are currently logged on as. After doing so, press enter.
carlos@XPS-M1330:~$ cd /home/carlos/Desktop/Test/
The dollar sign after Test indicates that “Test” is your current directory, exactly what we wanted. The command pwd prints the path of your current directory. Type pwd and press enter. Sweep and copy the path of your directory. We will be pasting this path into ewfacquire so that we can direct the acquisition to the Test folder.
Now it's time to call ewfacquire. Type the following into the terminal to point ewfacquire to the physical media that we intend to acquire. Press enter and type your root password (if needed).
sudo ewfacquire /dev/sdb
Ewfacquire opens and immediately asks you for a path to store the image. This is where you will paste the path to the Test folder plus an image filename (/home/carlos/Desktop/Test/256MbImage).
After pressing enter, you will be allowed to enter the case number, description, evidence number, examiner name, and notes. You will be allowed to type the information into these fields one at a time, pressing enter to fill in the following field. If you make a mistake, press “ctrl” and “c” at the same time to exit the acquisition and start again.
The next set of options are media type, media characteristics, compression, EWF file format, start to acquire at offset, the amount of bytes to acquire, evidence segment file size in bytes, the amount of bytes per sector, the amount of sectors to read at once, the amount of sectors to be used as error granularity, the amount of retries when a read error occurs, and wipe sectors on read error.
Ewfacquire offers defaults for each one of these options. Here is where you can decide to change the defaults or leave them. I only changed, “media characteristics” from logical to physical and “use compression” from none to best. I changed these options by typing in the words “physical” and “best.”
Ewfacquire will give you one last chance to see the acquiry parameters provided, followed by, continue acquiry with these values (yes, no) [yes]: "Yes" is the default. Simply press enter and the acquisition will begin.
When the imaging is complete, ewfaquire will provide you with the MD5 hash that was calculated over the test media:
Notice, the MD5 matches the MD5 that we previously conducted over test media /dev/sdb.
Now type “ls -lh” into the terminal and press enter, to see if the acquired image is in the Test folder. LS is the list files command. The flag -l uses a long listing format, and the flag -h prints the file's size in human readable format.
Yes, we have an E01 image inside of the test folder, along with my previously created txt file contaning the md5. My image compressed down to 462Kb.
Now lets use ewfinfo to look at the metadata inside of the E01. Type the following into the terminal followed by enter.
Ewfinfo prints the metadata contained inside of the E01.
Now lets use ewfverify to verify the integrity of the image and to compare the contents of the image to the data on the test media. Type the following into the terminal followed by enter.
Ewfverify Success! We have matching MD5's. The acquisition and verification were successful.
These tools when used separately, give you complete control of the imaging and verification of your acquired images.
If these procedures worked for your case, and you are able to use them in the course of your investigation, we would like to hear from you. Please post your comments or email the author of this article firstname.lastname@example.org.