Mounting File Systems

File Location:

Parse Data

#Mounting E01 Images 
ewfmount image.E01 mountpoint

mount –o loop,ro,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/windows_mount


#### Mounting Volume Shadow Copies ####

#Stage 1 – Attach local or remote system drive
ewfmount system-name.E01 /mnt/ewf

#Stage 2 – Mount raw image VSS
vshadowmount ewf1 /mnt/vss/

#Stage 3 – Mount all logical filesystem of snapshot
cd /mnt/vss for i in vss*; do mount -o ro,loop,show_sys_files,streams_interface=windows $i /mnt/shadow_mount/$i; done

Scanning File System

#Search for malware entropy
densityscout -r -pe -p 0.1 -o c:\Users\sansdfir\Desktop\densityscout.txt E:\

#Yara recursive search - "Could not open file" errors are common and used to ensure Yara can finish a scan within a defined period of time.
cd /d "C:\Forensic_Program_Files\yara"
yara64.exe -C yara-rules -rw E:\ > C:\Users\sansdfir\Desktop\yara_out.txt

Considerations

Anti-Forensics

PreviousFile System NextLog2Timeline

Last updated 1 year ago