Recognizing Unrecognized File Systems using Linux Ubuntu 12.10
You have just received an image of a dual-boot. You add the image to your preferred forensic suite only to discover that the linux partition of the image is not being recognized. You immediately wonder.. “I know so and so can read extended 4! The other volume is not encrypted! What’s going on?”
That became my scenario just recently. The user in this case was not running encryption. This savvy user instead chose to install Linux on a relatively new file system. One that, as of the time of this writing, was not supported by any of the big three forensic suites. I wrote this article to discuss old techniques of identifying file systems and in the process, use that newer file system’s native environment (Linux) to mount it and read it. We will do this using free open source software.
To simulate the scenario, I partitioned a 64GB thumb drive into two volumes, NTFS and the unrecognized file system. Each one of the volumes contains only one text file. You can find the E01 of the thumb drive here. Feel free to download it and follow along. Test your forensic suite with this image. For the purposes of this article I used an examination computer with Ubuntu 12.10 installed on it. Let’s get started.
Installing the tools:
All of the tools that we will use are either included in Ubuntu by default, or can be downloaded from the Ubuntu Software Center. The tools that we will need to accomplish this task are mount, xmount and the sleuthkit. Mount comes pre-installed in Ubuntu, so head over to the Ubuntu Software Center for xmount and the sleuthkit.
Click on the Dash Home circle, located on the top left of your screen, type in “software” and click on the Ubuntu Software Center icon that will appear.
After the Ubuntu Software Center opens, you will see a search box on the top-right corner of your screen. Type “xmount” and click on the install button. You will be prompted for your root password. Enter your root password and wait for the program to install. Follow the same procedure to install sleuthkit. If you need assistance installing these tools, please go to the “Installing the Tools” section of this article here.
It is now time to begin the examination. I added the E01 image of the “Dual Boot” (in fact, the E01 image of the 64GB thumb drive) to the the root of a usb drive and inserted the drive to a usb port on my examination computer. External media gets mounted under the media directory.
Open a Terminal window and type the following into the terminal to determine how your external media was mounted.
Notice that my external media was mounted under the “/media/carlos” directory as “USB_DRIVE”.
Now we need to navigate to the E01 file on the external media. We will use the CD command to change directory into the external media. Type the following into the terminal.
Replace “carlos” with your username and also replace “USB_DRIVE/” with the directory name assigned to your external media. After doing so, press enter.
Type “ls -l” and press enter. LS is the list files command. The flag -l uses a long listing format.
Notice that we are in the root of my external media and yes, I have the E01 file of the thumb drive that contains the two volumes.
Since this image is in the E01 format, the first thing that we need to do is convert it to a DD, on the fly, using xmount. This procedure may require a couple of tries, if this is you first time doing it. For that reason, we have taken the time to show all of the steps required, in this article titled “Mounting E01 images of physical disks in Linux Ubuntu.” Find the article here.
Once you have converted the E01 to a DD, navigate to it. Mine was converted into the /mnt/xmount directory.
The next step is to determine the starting sector offset into our volumes. We already know that we have one NTFS volume and one unidentified volume. To determine the starting sectors to our volumes we will use the sleuthkit tool mmls. Mmls is a tool that can display the partition layout of a volume system (partition tables). Type the following into the terminal and press enter. The flag -a is to show allocated volumes, and the flag -B is to include a column with the partition sizes in bytes.
sudo mmls -aB 64GB_2VOL.dd
Mmls is reporting that the linux volume starts at sector offset 63488. The volume contained at starting sector 63488 is the volume that my forensic suite failed to recognize. Let’s see if Linux is able to recognize it. To determine the type of file system contained in this volume, type the following command.
sudo img_cat -s 63488 64GB_2VOL.dd | file –
Img_cat is a sleuthkit comamnd that outputs the contents of an image file, the flag -s tells mmls to look at sector offset 63488, which in this instance is the start of my linux volume, 64GB_2VOL.dd is the raw image. The “|” is known as a pipe. A pipe is a technique in Linux for passing information from one program process to another. File is the command to determine the file type. The dash following file “-” is a descriptor that tells file to use the standard output of the img_cat command rather than a file.
File is reporting that the volume at sector offset 63488 is a BTRFS file system. File is also reporting that the file system’s label is “Lin” and that it contains sectors made up of 4096 bytes.
BTRFS is a file system that is still in development. A web search of BTRFS will yield a good amount of information about this relatively new file system. Due to its lack of popularity and the fact that it is still new, I can understand why the main forensic suites do not support it. Yet, this doesn’t mean that you are not bound to encounter it.
The good news is that Ubuntu has a native ability to read this file system. You only have to mount it.
Create a mount point and mount it with this command
sudo mount -t btrfs -o ro,offset=32505856 64GB_2VOL.dd /mnt/btrfs
Our article titled “Mounting E01 images of physical disks in Linux Ubuntu.” illustrates the steps required to mount a volume contained at a sector offset inside of a DD image. Find the article here.
I wanted to write this article to raise awareness of the BTRFS file system. Due to its native support of BTRFS, Linux is a powerful supplement to your forensic suites, specially when your forensic suites don’t offer support for the file system.
If this procedure worked for your case, and you are able to use it in the course of your investigation, we would like to hear from you. Please post your comments or email the author of this article at firstname.lastname@example.org. Twitter: @carlos_cajigas