Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: williamlucas
New Today: 0
New Yesterday: 0
Overall: 29661

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Software to search an FTK Lite Mounted drive with keyword
 How much can be found?
 Computer Forensic in responding to Data Breach issues
 A bunch of numbers about digital evidences collection
 Computer forensic issue

Computer Forensics World Forums


Pages Served
We received
59562776
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Extraction of Forensic images in Linux
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Extraction of Forensic images in Linux
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
Ajeet129
Newbie
Newbie


Joined: Jan 10, 2014
Posts: 8

PostPosted: Sat Jan 11, 2014 12:50 pm    Post subject: Extraction of Forensic images in Linux Reply with quote

Hi,

Do we can extract the forensic images like E01, Ad1 using FTK imager or any other tool in Linux. If any one know how to do that. Please suggest.

Any help would be appreciated, Thanks in advance

Thanks
Ajeet
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 241

PostPosted: Sat Jan 11, 2014 6:23 pm    Post subject: Re: Extraction of Forensic images in Linux Reply with quote

Ajeet129 wrote:
Do we can extract the forensic images like E01, Ad1 using FTK imager or any other tool in Linux. If any one know how to do that. Please suggest.


You are, I presume, referring to live imaging? I suggest visiting the forensicswiki, the section 'Disk Imaging'.
Back to top
View user's profile
Ajeet129
Newbie
Newbie


Joined: Jan 10, 2014
Posts: 8

PostPosted: Sun Jan 12, 2014 4:19 pm    Post subject: Extraction of Forensic images in Linux Reply with quote

I am talking about extraction of Forensic images. I can easily create the image but finding trouble in extraction, i can do easily on Windows plateform but need help how to perform it on Linux plateform with command line program.

Thanks in advance.

Ajeet
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Mon Jan 13, 2014 12:35 am    Post subject: Reply with quote

Also covered on the same page on the wiki. But you can also lookup info on libewf for EWF format images or go to AccessData for information on their command line tool.
Back to top
View user's profile
Ajeet129
Newbie
Newbie


Joined: Jan 10, 2014
Posts: 8

PostPosted: Mon Jan 13, 2014 4:47 am    Post subject: Re: Extraction of Forensic images in Linux Reply with quote

Hi,

I already checked everywhere and coudn't find the information, Everywhere i am finding how to create images, where as my need is just to extract image to my network location. FTKimager says this

./ftkimager: /usr/lib64/libstdc++.so.6: version `GLIBCXX_3.4.15' not found (required by ./ftkimager)

./ftkimager: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by ./ftkimager)

Thanks,
Ajeet
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Mon Jan 13, 2014 5:04 am    Post subject: Reply with quote

You have a forensic image so you do not taint the evidence. You would typically use a forensic tool to examine the evidence in the forensic image and then create a report that may include files from the image.

You might also use your forensic tool to extract files, say a mailbox file, to examine in another tool.

Is that what you are trying to do?
Back to top
View user's profile
Ajeet129
Newbie
Newbie


Joined: Jan 10, 2014
Posts: 8

PostPosted: Mon Jan 13, 2014 5:49 pm    Post subject: Re: Extraction of Forensic images in Linux Reply with quote

Exactly, But I need to know what tool i can use in linux because its easy to use in windows, but my requirement is to use in linux and ftk is giving me trouble. Any other tool even if its paid that's but If i get detail information how to install it and how exactly i can extact the physical files from images. That would be big help.

Thanks,
Ajeet Tiwari
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Mon Jan 13, 2014 9:56 pm    Post subject: Reply with quote

OK. I believe we are getting to what you really want to do. Rather than "install" a tool you should use a live Linux environment such as The Sleuthkit/Autopsy (or any of the other live Linux forensic environments such as CAINE, DEFT, etc.) to perform that type of task.

All of those environments have extensive documentation.
Back to top
View user's profile
Ajeet129
Newbie
Newbie


Joined: Jan 10, 2014
Posts: 8

PostPosted: Wed Jan 15, 2014 8:04 am    Post subject: Re: Extraction of Forensic images in Linux Reply with quote

I am unable to find good documentation which tells how extract the images

for example

XXX b$ Sleuthkit ~/Desktop/JohnKeeneNewportLaptop.E01

If you help me with the way i can mount it and then extract it on network it would really helpful.

Thanks in advance.

Ajeet
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Jan 15, 2014 11:38 am    Post subject: Reply with quote

Ajeet - where would I even begin? Do you have any experience with Linux? Have you created mount points? Do you have the E01 mounted using the previously mentioned libewf? Do you have the network share mounted? Are you just extracting logical files? Are you performing data carving? So many questions, so little time.
Back to top
View user's profile
Ajeet129
Newbie
Newbie


Joined: Jan 10, 2014
Posts: 8

PostPosted: Thu Jan 16, 2014 2:17 am    Post subject: Re: Extraction of Forensic images in Linux Reply with quote

Thanks for your response, To be honest I am a windows guy, but i have some little knowledge on linux the issue i encountered is i can't extract the image because most of the forensic image comes in multipart and i was able to read just one file.

atiwari:bin b$ ewfinfo ~/Desktop/JohnKeeneNewportLaptop.E01
ewfinfo 20100226 (libewf 20100226, libuna 20091031, libbfio 20091114, zlib 1.2.5, libcrypto 1.0.0)

libewf_segment_table_build: unable to find the last segment file.
libewf_handle_open_file_io_pool: unable to build segment table.
libewf_handle_open: unable to open handle using a file io pool.
libewf_open: unable to create handle.
Unable to open EWF file(s)info_handle_open_input: unable to open file(s).

If you know, how i can deal all the files and mount them that would be big
help.

We are just extracting the images.

Thanks,
Ajeet Tiwari
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Thu Jan 16, 2014 2:04 pm    Post subject: Reply with quote

libewf will do what you are asking:
ewfmount imagename.E01 mount_point

as long as all the parts of the EWF are present in the directory, ewfmount will assemble all the parts.

Once it is mounted browse the mounted image, extract your files.

Have you verified the image to make sure it is complete?
ewfverify imagename.E01
Back to top
View user's profile
Ajeet129
Newbie
Newbie


Joined: Jan 10, 2014
Posts: 8

PostPosted: Thu Jan 16, 2014 11:54 pm    Post subject: Re: Extraction of Forensic images in Linux Reply with quote

Hi,

Thanks once again for reply,

I understand it might be very easy for you since you are forensic guy and Linux expert. But if you can give me the way how to install it, how to mount the image and the what would be command line program to extract files.

It would be great, I am windows guy and work in E-discovery industry so now we have client who have e01, AD1 and DD images we need to extract the files on network so that processing tool can do the job, we recently moved from windows server to Unix.

I have team of expert, but they are new in forensic world so they complaining i can't do it and i am trying to implement this process.

I really appreciate your response and help on this.

Thanks,
Ajeet Tiwari
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Fri Jan 17, 2014 10:47 am    Post subject: Reply with quote

I posted the commands above, but here it is again: ewfmount imagename.E01 mount_point

If you do not understand the command it is going to take way more than a few lines to explain how to use Linux.

So I ask, why do you need to use Linux if you are a Windows guy? Why not just use a Windows tool like FTK Imager?
Back to top
View user's profile
Ajeet129
Newbie
Newbie


Joined: Jan 10, 2014
Posts: 8

PostPosted: Sat Jan 18, 2014 1:11 am    Post subject: Re: Extraction of Forensic images in Linux Reply with quote

Since we have moved from windows to linux, now our automation support linux utilities, Currently we are manually extracting the files on ftk and then pushing it to Automation.

If i get a Linux too which supports i can put it on server and it will work with Automation that's my requirement. The mentioned tool my people had tried and they encounter issue which i mentioned to you.

May be I am unable to example the problem. thanks for all your help. But I need something which helps installation or manual stuff which I can provide to my guy who is going to use this.

Thanks once again,

Ajeet Tiwari
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.