 Welcome back everyone. Today I'm in the new Sorugi Linux distribution. It's a Linux distribution. It just has some preconfigured utilities for digital forensic investigations. So if you haven't checked it out, it is pretty interesting and it's free. So it's worth looking at. Today we are going to look at how the Sorugi Linux has set up some directories for us to help us work with disk images, specifically mounting disk images. And then we will mount an EZ-R1 disk image with EWF mount. So pretty much everything is done by the command line. You can go to applications and Sorugi and mount. And then there are a bunch of different tools that are available for mounting disk images, but everything that has, for example, a black window next to it will be a command line tool anyway. So we today are going to be using EWF mount. If I click on that, then I'm just going to get the command line version of the tool that pops up and then I can type in my commands. If you're not familiar with the commands, you can go to applications and play around with everything that's listed here. But for now I'm going to show you the entire process, how to get started essentially doing the mounts from the command line. If you don't have a command prompt open, go ahead and click on the this red window icon here and you'll get a new command prompt. And whenever you open your command prompt, you'll have, you should have something that looks like your username, the username that you're currently logged in as, the computer's name. Next is the directory that you're in, a tilde or that squiggly line means that you're in that user's home directory. If we type LS, this is going to list all of the folders in that directory. And we have two folders that are not standard for Linux that is the 01 screenshots and 02 computer vision. This is specifically created by the Sorugi Linux team. When we run screenshot analysis tools or computer vision tools, the outputs can be dumped into those locations for easy access. But today what we're talking about is dealing with disk images. I want to mount a disk image that way I can get access to the data inside without doing carving, start to analyze some of the files inside. So there's several different reasons you would do this, especially in Linux, since a lot of tools won't support working with disk images directly, you need to mount the image read only first, and then you can work with the data that's inside of it. So the first thing we'll do is go to CD slash MNT that's change directory to the mount directory. And if we type LS, then I can see all of these different thought folders that have been created in the mount directory. And this is also created by the Sorugi Linux team, because it's very convenient to have these folders pre created for you, all the same commands will work on other versions of Linux, but the team has already created all of these different folders, and I'll show you what they're for. You might already be able to guess we have AFF1, we have EWF1, CDE, GH. So for example, our EWF1 folder, today I'm going to be mounting an expert witness format file, which would be an easy row one file or EWF. If we go into these folders, there's nothing in them right now. But basically what this folder has been created for is so I have an easy access to mount points that already exist in the system. The file that I have right now is an easy row one image, it's SDA underscore image, easy row one, that's the file name. And if we use the file command on it, we can see that it is an EWF expert witness in case image file format. This is the file that I want to mount and get access to. Okay, but this is a physical disk image, you can see that in the file name, we have PC physical disk image. So we can't mount the physical disk image directly. So what we need to do is, because I have an expert witness format physical disk image, I'm going to use this EWF1 folder, since I don't have any mount points already. And I'm going to type sudo EWF mount, and then the location of my disk image that I want to mount. So sudo EWF mount, the location of my image, it was a very long path. And then where I want to mount the data to what folder I'll use to access the data. And that would be slash MNT EWF1, or specifically this folder here. So I'm attaching this disk image to this folder. So whenever I access that folder, I should be able to see some of the data inside. So if we click enter, I enter the password. And since we didn't have an error, it looks like it's okay if we type mount, you can see dev fuse on MNT EWF1. So that looks good. We actually have a mount point activated. So next, I'm going to see if I can see inside. So LS slash mint MNT EWF1 permission denied. I wonder if I can do sudo. Okay, so inside is just a single file, essentially called EWF. And what this is is a physical disk image object. So we can treat it kind of like an attached physical disk. Since we can treat it like an attached physical disk, I can use MMLS on it. So from the sleuth kit, I can run MMLS to find out how the disk is partitioned out. So I'm going to do sudo MMLS slash MNT slash EWF1 slash EWF1. Now remember MNT EWF1 is the folder amount point that I mounted the disk image to EWF1 is this, what kind of looks like a file, but it's actually a disk or raw data in there. So if I hit enter, we should see the overall partition table. So now that we have the partition table, I need to get the starting block offset of the partition that I'm interested in. I want to look at this basic data partition because I think that that's the biggest and it probably has my most interesting information. You can see that the starting offset is 567296. So I'm going to copy that. And then we also have units are in 512 byte sectors. Okay, that's going to be important later. The next thing I need to do is figure out if the partition starts at this offset, and it's 512 byte sectors. So our starting sectors here, we have 512 byte sectors, what's the byte offset that we are looking for. So I'm going to use the expr, the expression, kind of like a calculator built into command line. And I'm going to paste the sector offset, and then do slash star, which is times, and then 512. And what that will give us is the byte offset of that particular partition. So I'm going to copy that. So now we have the location of the partition that I want to mount. We have where it starts. So the next thing I need to do is type sudo mount dash o loop offset equals, and then it's the byte offset. And that's why we had to calculate the byte offset is because mount only takes a byte offset, not the sector. And then the data that I'm mounting from. So MNT, EWF one, EWF one. And where am I going to mount this to? Well, on the suspects disc that I have here, this basic data partition was probably the C drive. Well, in our mount folder, conveniently, we have, for example, a folder called C. So since this is the only disk image that I'm working with right now, I'm going to mount this partition to MNT C, I press enter, trying read only. Okay, if we type mount, then we should have mount EWF one, EWF one on MNT C. So it did mount properly, but it had to mount in read only mode, which is good for us anyway, because we don't want to have any rights. So if I type LS, if I move into C and type LS, now I can see all of the files that were in the suspect system, just like on their particular hard drive. Okay, this is no file carving, I'm not recovering any deleted data or anything like that. But now I have direct access to be able to browse through things. So for example, I could use fine, which is a built-in Linux command with grep, and then just look for, I don't know, JPEG, anything with JPG in the, in the name. Okay, and then we can find all of the JPEG images and start pulling them out and analyzing them. Right. So, so Rookie Linux already has a lot of folders set up for you, and you might be wondering what they're for. Well, basically, they're for working in this case for the mount directories for working with mount points that are very common. So either EWF, you're mounting a disk image or CDE, it could be a partition from Windows, for example. So I hope that helps explain what these folders are for. And I hope that that helped you a little bit understand how to work with and mount disk images with EWF Acquire. That's it for today. Thank you very much.