Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: ant888
New Today: 3
New Yesterday: 0
Overall: 29286

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Hash calculation between image and original file
 Final Year Project
 Android devices with PIN screen lock and without USBdebb. on
 Can file creation and modifications on pendrives be found?
 Viewing real MAC times of a timestomped file

Computer Forensics World Forums


Pages Served
We received
49944860
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Open an Encase image of a CD
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Open an Encase image of a CD

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues
View previous topic :: View next topic  
Author Message
alcool179
Newbie
Newbie


Joined: Feb 18, 2016
Posts: 13

PostPosted: Sun Mar 06, 2016 10:00 am    Post subject: Open an Encase image of a CD Reply with quote

Hi all,
I have a image (file.Ex01) of a CD.
How can I mount it?
I tryed with FTK imager but the results is drive with an unrecognized file system.
Can you help me?

THX
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sun Mar 06, 2016 1:02 pm    Post subject: Reply with quote

Mount it with libewf.
Back to top
View user's profile
alcool179
Newbie
Newbie


Joined: Feb 18, 2016
Posts: 13

PostPosted: Sun Mar 06, 2016 10:08 pm    Post subject: Reply with quote

Thx PreferredUser,
but typing (root)
ewfexport namefile.Ex01
the result is
libewf_glob: invalid filename - missing extension.
export_handle_open_input: unable to resolve filename(s).

using
ewfmount namefile.Ex01 /media/evidence
the result is the same
libewf_glob: invalid filename - missing extension.
export_handle_open_input: unable to resolve filename(s).

Some suggestions?
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sun Mar 06, 2016 11:58 pm    Post subject: Reply with quote

What version are you using? As of version 20120715 support for EWF version 2 (.Ex01 and .Lx01) was added.

Also, ewfexport, exports storage media data in EWF files to (split) RAW format or a specific version of EWF files. In your first post you asked how to mount an Ex01, for that you would use ewfmount, which uses FUSE to mount EWF files.
Back to top
View user's profile
alcool179
Newbie
Newbie


Joined: Feb 18, 2016
Posts: 13

PostPosted: Mon Mar 07, 2016 12:20 am    Post subject: Reply with quote

ewfmount 20140608
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 237

PostPosted: Mon Mar 07, 2016 4:49 am    Post subject: Re: Open an Encase image of a CD Reply with quote

alcool179 wrote:
I have a image (file.Ex01) of a CD.
How can I mount it?
I tryed with FTK imager but the results is drive with an unrecognized file system.


You can have at least two different types of image of a CD: the 'raw' (or physical) image, which has 2352-byte sectors, and the 'user' image, which has 2048-byte sectors.

You have to know which you are working with.

Next, as you leave 'CD' completely unqualified, there's no way to know if you are referring to CD-DA (audio), CD-ROM, CD-R, and so on and so forth. It matters, because 'mounting' presumes a file system.

Next, if we assume a data-related CD format, you can have multiple file systems. ISO 9660 is one, but there are others. And your mounting solution have better support the one actually present.

Do you know that it does? If you have an image from a HFS+ image, and mount it on a Windows system ... you won't succeed, unless you have some software that can do that.

Look at the image: is it an ISO 9660 volume? Or some other file system? Or is it something that cannot be mounted at all? If it is mountable, does your solution support that kind of file system?
Back to top
View user's profile
alcool179
Newbie
Newbie


Joined: Feb 18, 2016
Posts: 13

PostPosted: Tue Mar 08, 2016 3:51 am    Post subject: Reply with quote

Hi athulin,
thank's for your reply.
It' a CR-R image and using Linux "file" command on the image seems to be a ISO9660 volume.

Unfortunately the issue remains and using:

ewfmount namefile.Ex01 /media/evidence

the result is the same

libewf_glob: invalid filename - missing extension.
export_handle_open_input: unable to resolve filename(s).

Any suggestion?
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 237

PostPosted: Wed Mar 09, 2016 3:13 am    Post subject: Reply with quote

alcool179 wrote:
ewfmount namefile.Ex01 /media/evidence


But ... if file(1) tells you that it's an ISO-9660 image, it probably is one. If so, it's not any EWF or e01 or Ex01 format, as they have their own file headers, and would most likely be identified as such by file(1).

I might download and compile the disktype tool from Sourceforge, and check what it says. If it also says 'iso-9660', you don't have an EnCase file at all. You have an iso image, and should use a mount utility for that format.

If you know the ISO 9660 format well, you can eyeball it. But if you don't, disktype is probably the best tool you can use.
Back to top
View user's profile
alcool179
Newbie
Newbie


Joined: Feb 18, 2016
Posts: 13

PostPosted: Fri Mar 11, 2016 7:07 am    Post subject: Reply with quote

Hi athulin,
the result of file command is
file filename.Ex01
ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors)

the result of disktype command is
disktype filename.EX01

--- filename.Ex01
Regular file, size 103.8 MiB (108826032 bytes)

What do you think?
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 237

PostPosted: Sat Mar 12, 2016 10:21 pm    Post subject: Reply with quote

alcool179 wrote:

the result of file command is
file filename.Ex01
ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors)


That is as it says, a 'raw' CD image. The ISO file system is inside the raw sectors, and you need to strip away the 'outside'stuff.

As far as I know, EnCase can't cope with that. But I'm not expert on the latest version (7).

ISOBuster can do it. (Though I'm not 100% sure about if it does so also in the free version.) I've done it with CloneCD raw images and IsoBuster -- you may have to rename the image file to *.img or *.bin, though. Then, extract 'user data' to an *.ISO file, and use that.

If all you want to do is mount it, mounting utilities such as Virtual CloneDrive or other may do it as well. I'm less familiar with those.

Quote:

the result of disktype command is
disktype filename.EX01

--- filename.Ex01
Regular file, size 103.8 MiB (108826032 bytes)


OK, so disktype doesn't recognize a raw CD image. But at least it's not something it recognizes as something else.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.