Merge pull request #1173 from HackTricks-wiki/research_update_src_generic-methodologies-and-resources_basic-forensic-methodology_image-acquisition-and-mount_20250723_014117

carlospolop · web-flow · commit 599068e93de6 · 2025-07-23T11:05:51.000+02:00
Research Update Enhanced src/generic-methodologies-and-resou...
diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md
@@ -5,114 +5,173 @@
 
 ## Acquisition
 
+> Always acquire **read-only** and **hash while you copy**. Keep the original device **write-blocked** and work only on verified copies.
+
 ### DD
 
 ```bash
-#This will generate a raw copy of the disk
-dd if=/dev/sdb of=disk.img
+# Generate a raw, bit-by-bit image (no on-the-fly hashing)
+dd if=/dev/sdb of=disk.img bs=4M status=progress conv=noerror,sync
+# Verify integrity afterwards
+sha256sum disk.img > disk.img.sha256
+```
+
+### dc3dd / dcfldd
+
+`dc3dd` is the actively maintained fork of dcfldd (DoD Computer Forensics Lab dd).
+
+```bash
+# Create an image and calculate multiple hashes at acquisition time
+sudo dc3dd if=/dev/sdc of=/forensics/pc.img hash=sha256,sha1 hashlog=/forensics/pc.hashes log=/forensics/pc.log bs=1M
+```
+
+### Guymager  
+Graphical, multithreaded imager that supports **raw (dd)**, **EWF (E01/EWFX)** and **AFF4** output with parallel verification. Available in most Linux repos (`apt install guymager`).
+
+```bash
+# Start in GUI mode
+sudo guymager
+# Or acquire from CLI (since v0.9.5)
+sudo guymager --simulate --input /dev/sdb --format EWF --hash sha256 --output /evidence/drive.e01
 ```
 
-### dcfldd
+### AFF4 (Advanced Forensics Format 4)
+
+AFF4 is Google’s modern imaging format designed for *very* large evidence (sparse, resumable, cloud-native).
 
 ```bash
-#Raw copy with hashes along the way (more secur as it checks hashes while it's copying the data)
-dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<chunk size> hashlog=<hash file>
-dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes
+# Acquire to AFF4 using the reference tool
+pipx install aff4imager
+sudo aff4imager acquire /dev/nvme0n1 /evidence/nvme.aff4 --hash sha256
+
+# Velociraptor can also acquire AFF4 images remotely
+velociraptor --config server.yaml frontend collect --artifact Windows.Disk.Acquire --args device="\\.\\PhysicalDrive0" format=AFF4
 ```
 
-### FTK Imager
+### FTK Imager (Windows & Linux)
+
+You can [download FTK Imager](https://accessdata.com/product-download) and create **raw, E01 or AFF4** images:
+
+```bash
+ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 \
+          --description 'Laptop seizure 2025-07-22' --examiner 'AnalystName' --compress 6
+```
 
-You can [**download the FTK imager from here**](https://accessdata.com/product-download/debian-and-ubuntu-x64-3-1-1).
+### EWF tools (libewf)
 
 ```bash
-ftkimager /dev/sdb evidence --e01 --case-number 1 --evidence-number 1 --description 'A description' --examiner 'Your name'
+sudo ewfacquire /dev/sdb -u evidence -c 1 -d "Seizure 2025-07-22" -e 1 -X examiner --format encase6 --compression best
 ```
 
-### EWF
+### Imaging Cloud Disks
 
-You can generate a disk image using the[ **ewf tools**](https://github.com/libyal/libewf).
+*AWS* – create a **forensic snapshot** without shutting down the instance:
 
 ```bash
-ewfacquire /dev/sdb
-#Name: evidence
-#Case number: 1
-#Description: A description for the case
-#Evidence number: 1
-#Examiner Name: Your name
-#Media type: fixed
-#Media characteristics: physical
-#File format: encase6
-#Compression method: deflate
-#Compression level: fast
-
-#Then use default values
-#It will generate the disk image in the current directory
+aws ec2 create-snapshot --volume-id vol-01234567 --description "IR-case-1234 web-server 2025-07-22"
+# Copy the snapshot to S3 and download with aws cli / aws snowball
 ```
 
+*Azure* – use `az snapshot create` and export to a SAS URL.  See the HackTricks page {{#ref}}
+../../cloud/azure/azure-forensics.md
+{{#endref}}
+
+
 ## Mount
 
-### Several types
+### Choosing the right approach
 
-In **Windows** you can try to use the free version of Arsenal Image Mounter ([https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)) to **mount the forensics image**.
+1. Mount the **whole disk** when you want the original partition table (MBR/GPT).
+2. Mount a **single partition file** when you only need one volume.
+3. Always mount **read-only** (`-o ro,norecovery`) and work on **copies**.
 
-### Raw
+### Raw images (dd, AFF4-extracted)
 
 ```bash
-#Get file type
-file evidence.img
-evidence.img: Linux rev 1.0 ext4 filesystem data, UUID=1031571c-f398-4bfb-a414-b82b280cf299 (extents) (64bit) (large files) (huge files)
+# Identify partitions
+fdisk -l disk.img
+
+# Attach the image to a network block device (does not modify the file)
+sudo modprobe nbd max_part=16
+sudo qemu-nbd --connect=/dev/nbd0 --read-only disk.img
 
-#Mount it
-mount evidence.img /mnt
+# Inspect partitions
+lsblk /dev/nbd0 -o NAME,SIZE,TYPE,FSTYPE,LABEL,UUID
+
+# Mount a partition (e.g. /dev/nbd0p2)
+sudo mount -o ro,uid=$(id -u) /dev/nbd0p2 /mnt
 ```
 
-### EWF
+Detach when finished:
+```bash
+sudo umount /mnt && sudo qemu-nbd --disconnect /dev/nbd0
+```
+
+### EWF (E01/EWFX)
 
 ```bash
-#Get file type
-file evidence.E01
-evidence.E01: EWF/Expert Witness/EnCase image file format
-
-#Transform to raw
-mkdir output
-ewfmount evidence.E01 output/
-file output/ewf1
-output/ewf1: Linux rev 1.0 ext4 filesystem data, UUID=05acca66-d042-4ab2-9e9c-be813be09b24 (needs journal recovery) (extents) (64bit) (large files) (huge files)
-
-#Mount
-mount output/ewf1 -o ro,norecovery /mnt
+# 1. Mount the EWF container
+mkdir /mnt/ewf
+ewfmount evidence.E01 /mnt/ewf
+
+# 2. Attach the exposed raw file via qemu-nbd (safer than loop)
+sudo qemu-nbd --connect=/dev/nbd1 --read-only /mnt/ewf/ewf1
+
+# 3. Mount the desired partition
+sudo mount -o ro,norecovery /dev/nbd1p1 /mnt/evidence
 ```
 
-### ArsenalImageMounter
+Alternatively convert on the fly with **xmount**:
 
-It's a Windows Application to mount volumes. You can download it here [https://arsenalrecon.com/downloads/](https://arsenalrecon.com/downloads/)
+```bash
+xmount --in ewf evidence.E01 --out raw /tmp/raw_mount
+mount -o ro /tmp/raw_mount/image.dd /mnt
+```
 
-### Errors
+### LVM / BitLocker / VeraCrypt volumes
 
-- **`cannot mount /dev/loop0 read-only`** in this case you need to use the flags **`-o ro,norecovery`**
-- **`wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.`** in this case the mount failed due as the offset of the filesystem is different than that of the disk image. You need to find the Sector size and the Start sector:
+After attaching the block device (loop or nbd):
 
 ```bash
-fdisk -l disk.img
-Disk disk.img: 102 MiB, 106954648 bytes, 208896 sectors
-Units: sectors of 1 * 512 = 512 bytes
-Sector size (logical/physical): 512 bytes / 512 bytes
-I/O size (minimum/optimal): 512 bytes / 512 bytes
-Disklabel type: dos
-Disk identifier: 0x00495395
-
-Device        Boot Start    End Sectors  Size Id Type
-disk.img1       2048 208895  206848  101M  1 FAT12
+# LVM
+sudo vgchange -ay               # activate logical volumes
+sudo lvscan | grep "/dev/nbd0"
+
+# BitLocker (dislocker)
+sudo dislocker -V /dev/nbd0p3 -u -- /mnt/bitlocker
+sudo mount -o ro /mnt/bitlocker/dislocker-file /mnt/evidence
 ```
 
-Note that sector size is **512** and start is **2048**. Then mount the image like this:
+### kpartx helpers
+
+`kpartx` maps partitions from an image to `/dev/mapper/` automatically:
 
 ```bash
-mount disk.img /mnt -o ro,offset=$((2048*512))
+sudo kpartx -av disk.img  # creates /dev/mapper/loop0p1, loop0p2 …
+mount -o ro /dev/mapper/loop0p2 /mnt
 ```
 
+### Common mount errors & fixes
 
-{{#include ../../banners/hacktricks-training.md}}
+| Error | Typical Cause | Fix |
+|-------|---------------|-----|
+| `cannot mount /dev/loop0 read-only` | Journaled FS (ext4) not cleanly unmounted | use `-o ro,norecovery` |
+| `bad superblock …` | Wrong offset or damaged FS | calculate offset (`sector*size`) or run `fsck -n` on a copy |
+| `mount: unknown filesystem type 'LVM2_member'` | LVM container | activate volume group with `vgchange -ay` |
+
+### Clean-up
 
+Remember to **umount** and **disconnect** loop/nbd devices to avoid leaving dangling mappings that can corrupt further work:
 
+```bash
+umount -Rl /mnt/evidence
+kpartx -dv /dev/loop0  # or qemu-nbd --disconnect /dev/nbd0
+```
 
+
+## References
+
+- AFF4 imaging tool announcement & specification: https://github.com/aff4/aff4  
+- qemu-nbd manual page (mounting disk images safely): https://manpages.debian.org/qemu-system-common/qemu-nbd.1.en.html
+
+{{#include ../../banners/hacktricks-training.md}}
