Therefore, mounting the image using OSFMount will provide them the access they need. But I'm trying to provide access to people with limited command line knowledge. You could use the Ext2Mount from that project if you like command line. #Download Ftk Imager Lite Free how toExt2FSD is a program that will provide Windows with the driver to understand how to read EXT2 and EXT3 file formats. The second method is to get a combination of software's to help Windows understand EXT2/3 and then mount the image. You can traverse the directory tree, review the contents in raw hex or browser view (careful with the later), generate hashs, and export the files. This program will take a raw image and provide read-only access to it. Thus, you have to think "outside-the-box".įirst thing I usually do is point someone at AccessData's FTK Imager or FTK Imager Lite. Remember when you are doing a "stat" or "ls" on the file you'll want to use the "-n" option so that it doesn't use the local systems UID mappings and just displays the number associated with that file.īut, what if you have to give that drive to someone so THEY can review the contents? And, what if that person is a Windows-only person? Windows does not have a build in method for mounting raw images let alone understanding EXT3 filesystems. This command will mount the image read-only and we can do our analysis of the contents. The acquired disk is a raw image file that is easily mountable in Linux for review (yes, I'm not talking forensic analysis tools). For instance, we have recently acquired a Linux disk formatted using EXT3. When doing forensics, the challenge usually is how can we access data when there are restrictions to the ways we can access the data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |