FYI - Running plaso on mounted image in Windows

1,008 views
Skip to first unread message

David Nides

unread,
Apr 26, 2013, 7:29:30 PM4/26/13
to log2timeli...@googlegroups.com, log2time...@googlegroups.com
FYI -

In Windows I commonly use disk mounting utilities such as imdisk or ftkimager to mount disk images that are unsupported directly by plaso (e.g. E01, encrypted disk, split DD). Subsequently I then run plaso against that mount point. In the course of processing it was observed in the debug information that certain system files such as registry hives could not be parsed due to "Permission denied" errors.

Based on some quick testing I have found that if you execute plaso or 4ntime "As Administrator" it will simply fix this issue.

Note any time you are running plaso against a mounted disk image you will also want to make sure pre-process is enabled. This allows plaso to automatically attempt to determine the OS version and the appropriate list of parsers. Regardless of the OS version you can always specificy certain parsers via Filters as well.

Also, I have not tested but I suspect this is not an issue if the disk mounting utility supports mounting as a "Network Share". I don't have Encase or MIP on this computer to test but it be nice if someone could confirm.

Snippet of log:

[PreProcess] Set attribute: sysregistry to WINDOWS\system32\config
Unable to run preprocessor: WinVersion, reason: Unable to open file: WINDOWS\system32\config\
software [[OsFile] Unable to open the file: F:\WINDOWS\system32\config\software, error: [Errno 13] Permission denied: u'F:\\WINDOWS\\system32\\config\\software'] - attribute [osversion] not set
Opening file: F:\WINDOWS\system32\config\
system [OS]
[PreProcess] Set attribute: current_control_set to ControlSet001
Unable to run preprocessor: WinUsers, reason: Unable to open file: WINDOWS\system32\config\
software [[OsFile] Unable to open the file: F:\WINDOWS\system32\config\software, error: [Errno 13] Permission denied: u'F:\\WINDOWS\\system32\\config\\software'] - attribute [users] not set
Opening file: F:\WINDOWS\system32\config\
system [OS]
[PreProcess] Set attribute: code_page to cp1252

Paolo Dal Checco

unread,
Apr 27, 2013, 1:15:37 PM4/27/13
to David Nides, log2timeli...@googlegroups.com, log2time...@googlegroups.com
Hi David,

in FTK Imager, did you try mounting the image with the "File System / Read Only" Mount Method instead of the default "Block Device / Read Only"? That should solve the permission issue and let you - and PLASO - access every file on the filesystem, included those protected by ownership or Windows locks.

I've not used PLASO or 4n6time on Windows yet, so I'm not sure if the above solution works, but you might give it a try and let us know. :-)

KR
Paolo
-- 
Dr. Paolo Dal Checco, Consulente Informatico Forense
Digital Forensics Bureau - Studio Associato
Tel +390110438192   Fax +390113975327 Cell +393496008809
Strada del Portone 10, 10095 Grugliasco (TORINO)
Email: pa...@dalchecco.it - PEC: paolo.d...@cert.dag.it
Web: www.dalchecco.it / www.difob.it - Skype: paolo.dalchecco
--
You received this message because you are subscribed to the Google Groups "log2timeline-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-dis...@googlegroups.com.
To post to this group, send email to log2timeli...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 


M. Orinoco

unread,
Nov 6, 2013, 7:26:10 PM11/6/13
to log2timeli...@googlegroups.com, log2time...@googlegroups.com
Hi all. Not sure if this has been discussed or not, but I'll give my 2cents based upon my experience thus far with mounting E01 images from FTK on a Win7 machine. I have observed that you do get access is denied after mounting the image via FTK. My solution is to open cmd.exe as Admin, go to Task Manager, kill explorer.exe, and then type explorer.exe in the cmd windows and enter. This will give you a new explorer shell with elevated privs. After this you can view the contents of all the folders of the mounted image without getting the access id denied error message.

I am new to plaso, but have been using log2timeline in the SIFT for a while, which is easy as the install is there already. However, I want to get this working in Win7 natively but seem to be struggling a bit getting it to work.

I do have a request, if someone will be so generous...here is my situation, I have mounted the EWF image via FTK to E:\  now I want to do a kitchen sink parse of the mounted image with l2t and dump the output to a .csv file. However, I just can't seem to get it going.

Any change someone can give me a nudge here to get me going? Thank you.

Joachim Metz

unread,
Nov 7, 2013, 10:23:20 AM11/7/13
to log2time...@googlegroups.com, log2timeli...@googlegroups.com
E01 support is something we are working on. Apparently you're running into windows locking preventing access to files. As long as you're using the OS file system support you can run into these issues. I'm working on a ewfmount version that has dokan (Windows) support but maybe the older mount_ewf.oy for Windows can help you there. By just exposing the E01 as a RAW image.


--
You received this message because you are subscribed to the Google Groups "log2timeline-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to log2timeline-d...@googlegroups.com.
To post to this group, send email to log2time...@googlegroups.com.

fpi

unread,
Nov 8, 2013, 4:31:57 AM11/8/13
to log2timeli...@googlegroups.com
You could try ArsenalImageMounter.

Note: I've downloaded the binaries and not compiled it by myself.
If I did spot it right, it uses the great Joachim's libewf, even
if (as I said) I did not check which version.

Paolo Dal Checco

unread,
Nov 8, 2013, 6:51:10 AM11/8/13
to francesc...@gmail.com, log2timeli...@googlegroups.com
Good suggestion, Francesco. Anoter trick the OP may want to try is
mounting, via FTK Imager, with the mount method listbox set to "File
System/Read Only" instead of the default "Block Device/Read Only".

This will prevent the "access denied" error, but I'm afraid the parser
might miss some of the filesystem metadata ($MFT, etc...) the normal
block device mount gives you access to.

Please, let us know if it works.

--
Dr. Paolo Dal Checco, Consulente Informatico Forense
Digital Forensics Bureau - Studio Associato
Tel +390110438192 Fax +390113975327 Cell +393496008809
Strada del Portone 10, 10095 Grugliasco (TORINO)
Email: pa...@dalchecco.it - PEC: paolo.d...@cert.dag.it
Web: www.dalchecco.it / www.difob.it - Skype: paolo.dalchecco

Reply all
Reply to author
Forward
0 new messages