How to write a new partition table over EWF files

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
mfrade
Posts: 4
Joined: 20 Jul 2015, 11:46

How to write a new partition table over EWF files

#1 Post by mfrade »

Hi,
I used testdisk 7.0 (on ubuntu 14.04 64 bits) over EWF files (with compression) of a hard disk with a damaged partition table. Testdisk was able to find the correct values of the partition table and I want to write it over my EWF files, so I can use other forensics tools (like autopsy). Is this possible?

When I ask testdisk to write the new partition table it creates a new file with extension "d01", but I don't know how to use it to correct my EWF files. Is it possible to use the d01 file to mount the EWF files with the new partition table?

Note: I can't use testdisk directly on the hard disk, because it would damage the digital evidence.

Thank you for any help/advice,
Miguel Frade

User avatar
Fiona
Posts: 2835
Joined: 18 Feb 2012, 17:19
Location: Ludwigsburg/Stuttgart - Germany

Re: How to write a new partition table over EWF files

#2 Post by Fiona »

Partition table is located in your MBR and if you use UEFI, in your GUID partition table.
Normally, it shouldn't affect any files?
But I've not as much experience about EWF files?
If you'd like to keep it for evidence purposes, you can use testdisk to copy data off of your disk to another healthy disk or partition.
In case you wouldn't change anything to your affected disk.
Christophe Grenier would be a much better specialist contact person in your case.

Fiona

mfrade
Posts: 4
Joined: 20 Jul 2015, 11:46

Re: How to write a new partition table over EWF files

#3 Post by mfrade »

Hi Fiona,
thank you for your reply. Let me explain better what I've done and what I want to do:

1st - I connected the hard disk "B" to a write bloker and then to my working computer. With this setup I can read disk B, but I cannot write to it (disk B is digital evidence, therefore I don't want to make any change to it)


2nd - I've made a full copy (bit by bit) of disk B to disk A in my working computer. There are several ways to do this:
a) use dd comand, like this: dd /dev/sdb ~/somedir/diskB.dd
b) use other command or application to do the same of dd command, but with added features, like additional metadata and compression. I used Guymager and created an image of disk B into my disk A, that image was created in EWF format (a format specific for forensic work), which resulted in several split files (diskB.E01, diskB.E02, ...).

So, the EWF files contain a full image of disk B, including its partition table, unallocated space, files, etc


3rd - the testdisk tool supports several input methods, including disk images in EWF format: "testdisk [/log] [/debug] [file.dd|file.E01|device]". I used: "testdisk /log diskB.E??" and testdisk (which is a great tool) was able to find the correct values of the partition table, so I want testdisk to write the new partition table on the EWF files itself.

My question is: can testdisk write the new partition table inside EWF files? If not, how should I proceed?

It seems that isn't possible, because testdisk creates a new file: diskB.d01, but I don't know how to use that file with other tools, like ewfmount or xmount.

EWF files can be mounted to be read like a dd image, with the command ewfmount, so I can use other forensics tools. However, the tools I want to use need a good partition table to work, but ewfmount ignores the information inside the diskB.d01 file and I'm stuck at this point.

So far, it seems the only solution is to convert the EWF files to raw format (dd) and the execute testdisk over the raw file, but if possible I'd like to avoid this because EWF allows us to save storage space through compression and dd does not.

mfrade
Posts: 4
Joined: 20 Jul 2015, 11:46

Re: How to write a new partition table over EWF files

#4 Post by mfrade »

Hi again,
I found a solution to my problem. The ewfmount command doesn't support write over EWF files, but the xmount command has an option to provide virtual write through a cache file. I leave here the list of commands I used for future reference:

1)

Code: Select all

xmount --in ewf --rw diskB.cache diskB.E?? /mnt/xmount
  # "--in ewf" is required if you have more than one EWF file of the same disk
  # "--rw diskB.cache" provides write support through the cache file
  # "diskB.E??" selects all the EWF files of the disk image
  # "/mnt/xmount" directory where xmount mounts the image as raw

Code: Select all

ls /mnt/xmount
  diskB.dd  diskB.info
  # "diskB.dd" diskB in raw format
  # "diskB.info" metadata about diskB

Code: Select all

mmls /mnt/xmount/diskB.dd
  "Cannot determine partition type"
2)

Code: Select all

testdisk /mnt/xmount/diskB.dd
  # analyse diskB and write the new partition table
3)
use other forensic tools (like mmls, or autopsy) over the file /mnt/xmount/diskB.dd
and now it must be able to see the reconstructed partition table

Code: Select all

mmls /mnt/xmount/diskB.dd
  DOS Partition Table
  Offset Sector: 0
  Units are in 512-byte sectors

        Slot      Start        End          Length       Description
  000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
  001:  -------   0000000000   0000002047   0000002048   Unallocated
  002:  000:000   0000002048   0001023999   0001021952   NTFS / exFAT (0x07)
  003:  000:001   0001024000   0625139711   0624115712   NTFS / exFAT (0x07)
  004:  -------   0625139712   0625142447   0000002736   Unallocated

klango
Posts: 1
Joined: 21 Aug 2018, 11:50

Re: How to write a new partition table over EWF files

#5 Post by klango »

Hi @mfrade
I know this is a old topic but I had exactly this problem.
xmount wont do it for me:

xmount --in ewf image.cache image.E01 /mnt/temp/
ERROR: main@3682 : Unable to open input image file 'image.cache': The specified input file(s) are not valid EWF files!

I managed to list the Filesystem structure with testdisk and rewrote the FAT16 headers. like you, I have now a image.d01 file.

did you use this .d01 image at all?

Vicky583
Posts: 1
Joined: 10 Sep 2018, 05:26

Re: How to write a new partition table over EWF files

#6 Post by Vicky583 »

mfrade wrote: 20 Jul 2015, 12:27 Hi,
I used testdisk 7.0 (on ubuntu 14.04 64 bits) over EWF files (with compression) of a hard disk with a damaged partition table. Testdisk was able to find the correct values of the partition table and I want to write it over my EWF files, so I can use other forensics tools (like autopsy). Is this possible?

When I ask testdisk to write the new partition table it creates a new file with extension "d01", but I don't know how to use it to correct my EWF files. Is it possible to use the d01 file to mount the EWF files with the new partition table?

Note: I can't use testdisk directly on the hard disk, because it would damage the digital evidence.

Thank you for any help/advice,
Miguel Frade
Hey, I am facing same problem, any solution mobdro please? I am still waiting for the solution.
Last edited by Vicky583 on 24 Oct 2018, 11:06, edited 2 times in total.

mfrade
Posts: 4
Joined: 20 Jul 2015, 11:46

Re: How to write a new partition table over EWF files

#7 Post by mfrade »

Hi Vicky583,
try the xmount command:

Code: Select all

xmount --in ewf DellLatitudeCPi.E?? --out raw --cache cachefile.bin mntdir

# --in ewf DellLatitudeCPi.E?? 	--> input format: EWF followed by *all* image files (E01, E02, ...), ence the ".E??"
# --out raw 			--> output format
# --cache cachefile.bin 	--> cache file to simulate the write operation
# mntdir			--> mount dir for the raw view of the EWF image
then you can use testdisk over the raw file inside the mount dir that was created by xmount:

Code: Select all

testdisk mntdir/DellLatitudeCPi.dd

Locked