Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Xmount for Disk Images SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Xmount for Disk Images

Recently I've been doing a lot of imaging and mounting different image format types. Xmount(1) has been very handy and not something I've used a lot in the past.  Xmount can do DD, EWF (Expert Witness Compression Format), or AFF. While mount disks haven't changed a lot, having a combined utility that can do the significant files types makes it more accessible.


Xmount can output in several different file types: "raw", "dmg", "vdi", "vhd", "vmdk", "vmdks".  Many Linux-based tools need to have a raw or dd style image to read; xmount can easily do this.  Mounting an OSX DD image as a DMG is an easy way to open up Filevault volumes. Just double-click the DMG file, input the password, and it's mounted.


Depending on what you need to do with the image, booting it might be the fastest way to complete this.  Make sure that you are using a write-blocker or backup copy to prevent changes to the system.

#apt-get install xmount
#xmount --in ewf <FILE> --out vmdk --cache /tmp/disk.cache <Mount Point Folder>
#xmount --in ewf ./file.E01 --out vmdk --cache /tmp/disk.cache /tmp/ewf/

Now you should have a VMDK file in /tmp/ewf.  You can now add this file as a disk to an existing Vmware Machine or create a new virtual machine and boot off it.

Any other new forensics tools you have run across recently that makes life easier for forensicators? Leave a comment.

1 https://www.pinguin.lu/xmount

--

Tom Webb

@twsecblog

Tom

59 Posts
ISC Handler
Nov 5th 2021

Sign Up for Free or Log In to start participating in the conversation!