Hi,
I used testdisk 7.0 (on ubuntu 14.04 64 bits) over EWF files (with compression) of a hard disk with a damaged partition table. Testdisk was able to find the correct values of the partition table and I want to write it over my EWF files, so I can use other forensics tools (like autopsy). Is this possible?
When I ask testdisk to write the new partition table it creates a new file with extension "d01", but I don't know how to use it to correct my EWF files. Is it possible to use the d01 file to mount the EWF files with the new partition table?
Note: I can't use testdisk directly on the hard disk, because it would damage the digital evidence.
Thank you for any help/advice,
Miguel Frade
How to write a new partition table over EWF files
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Re: How to write a new partition table over EWF files
Partition table is located in your MBR and if you use UEFI, in your GUID partition table.
Normally, it shouldn't affect any files?
But I've not as much experience about EWF files?
If you'd like to keep it for evidence purposes, you can use testdisk to copy data off of your disk to another healthy disk or partition.
In case you wouldn't change anything to your affected disk.
Christophe Grenier would be a much better specialist contact person in your case.
Fiona
Normally, it shouldn't affect any files?
But I've not as much experience about EWF files?
If you'd like to keep it for evidence purposes, you can use testdisk to copy data off of your disk to another healthy disk or partition.
In case you wouldn't change anything to your affected disk.
Christophe Grenier would be a much better specialist contact person in your case.
Fiona
Re: How to write a new partition table over EWF files
Hi Fiona,
thank you for your reply. Let me explain better what I've done and what I want to do:
1st - I connected the hard disk "B" to a write bloker and then to my working computer. With this setup I can read disk B, but I cannot write to it (disk B is digital evidence, therefore I don't want to make any change to it)
2nd - I've made a full copy (bit by bit) of disk B to disk A in my working computer. There are several ways to do this:
a) use dd comand, like this: dd /dev/sdb ~/somedir/diskB.dd
b) use other command or application to do the same of dd command, but with added features, like additional metadata and compression. I used Guymager and created an image of disk B into my disk A, that image was created in EWF format (a format specific for forensic work), which resulted in several split files (diskB.E01, diskB.E02, ...).
So, the EWF files contain a full image of disk B, including its partition table, unallocated space, files, etc
3rd - the testdisk tool supports several input methods, including disk images in EWF format: "testdisk [/log] [/debug] [file.dd|file.E01|device]". I used: "testdisk /log diskB.E??" and testdisk (which is a great tool) was able to find the correct values of the partition table, so I want testdisk to write the new partition table on the EWF files itself.
My question is: can testdisk write the new partition table inside EWF files? If not, how should I proceed?
It seems that isn't possible, because testdisk creates a new file: diskB.d01, but I don't know how to use that file with other tools, like ewfmount or xmount.
EWF files can be mounted to be read like a dd image, with the command ewfmount, so I can use other forensics tools. However, the tools I want to use need a good partition table to work, but ewfmount ignores the information inside the diskB.d01 file and I'm stuck at this point.
So far, it seems the only solution is to convert the EWF files to raw format (dd) and the execute testdisk over the raw file, but if possible I'd like to avoid this because EWF allows us to save storage space through compression and dd does not.
thank you for your reply. Let me explain better what I've done and what I want to do:
1st - I connected the hard disk "B" to a write bloker and then to my working computer. With this setup I can read disk B, but I cannot write to it (disk B is digital evidence, therefore I don't want to make any change to it)
2nd - I've made a full copy (bit by bit) of disk B to disk A in my working computer. There are several ways to do this:
a) use dd comand, like this: dd /dev/sdb ~/somedir/diskB.dd
b) use other command or application to do the same of dd command, but with added features, like additional metadata and compression. I used Guymager and created an image of disk B into my disk A, that image was created in EWF format (a format specific for forensic work), which resulted in several split files (diskB.E01, diskB.E02, ...).
So, the EWF files contain a full image of disk B, including its partition table, unallocated space, files, etc
3rd - the testdisk tool supports several input methods, including disk images in EWF format: "testdisk [/log] [/debug] [file.dd|file.E01|device]". I used: "testdisk /log diskB.E??" and testdisk (which is a great tool) was able to find the correct values of the partition table, so I want testdisk to write the new partition table on the EWF files itself.
My question is: can testdisk write the new partition table inside EWF files? If not, how should I proceed?
It seems that isn't possible, because testdisk creates a new file: diskB.d01, but I don't know how to use that file with other tools, like ewfmount or xmount.
EWF files can be mounted to be read like a dd image, with the command ewfmount, so I can use other forensics tools. However, the tools I want to use need a good partition table to work, but ewfmount ignores the information inside the diskB.d01 file and I'm stuck at this point.
So far, it seems the only solution is to convert the EWF files to raw format (dd) and the execute testdisk over the raw file, but if possible I'd like to avoid this because EWF allows us to save storage space through compression and dd does not.
Re: How to write a new partition table over EWF files
Hi again,
I found a solution to my problem. The ewfmount command doesn't support write over EWF files, but the xmount command has an option to provide virtual write through a cache file. I leave here the list of commands I used for future reference:
1)
2)
3)
use other forensic tools (like mmls, or autopsy) over the file /mnt/xmount/diskB.dd
and now it must be able to see the reconstructed partition table
I found a solution to my problem. The ewfmount command doesn't support write over EWF files, but the xmount command has an option to provide virtual write through a cache file. I leave here the list of commands I used for future reference:
1)
Code: Select all
xmount --in ewf --rw diskB.cache diskB.E?? /mnt/xmount
# "--in ewf" is required if you have more than one EWF file of the same disk
# "--rw diskB.cache" provides write support through the cache file
# "diskB.E??" selects all the EWF files of the disk image
# "/mnt/xmount" directory where xmount mounts the image as rawCode: Select all
ls /mnt/xmount
diskB.dd diskB.info
# "diskB.dd" diskB in raw format
# "diskB.info" metadata about diskBCode: Select all
mmls /mnt/xmount/diskB.dd
"Cannot determine partition type"Code: Select all
testdisk /mnt/xmount/diskB.dd
# analyse diskB and write the new partition tableuse other forensic tools (like mmls, or autopsy) over the file /mnt/xmount/diskB.dd
and now it must be able to see the reconstructed partition table
Code: Select all
mmls /mnt/xmount/diskB.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: 000:000 0000002048 0001023999 0001021952 NTFS / exFAT (0x07)
003: 000:001 0001024000 0625139711 0624115712 NTFS / exFAT (0x07)
004: ------- 0625139712 0625142447 0000002736 Unallocated
Re: How to write a new partition table over EWF files
Hi @mfrade
I know this is a old topic but I had exactly this problem.
xmount wont do it for me:
xmount --in ewf image.cache image.E01 /mnt/temp/
ERROR: main@3682 : Unable to open input image file 'image.cache': The specified input file(s) are not valid EWF files!
I managed to list the Filesystem structure with testdisk and rewrote the FAT16 headers. like you, I have now a image.d01 file.
did you use this .d01 image at all?
I know this is a old topic but I had exactly this problem.
xmount wont do it for me:
xmount --in ewf image.cache image.E01 /mnt/temp/
ERROR: main@3682 : Unable to open input image file 'image.cache': The specified input file(s) are not valid EWF files!
I managed to list the Filesystem structure with testdisk and rewrote the FAT16 headers. like you, I have now a image.d01 file.
did you use this .d01 image at all?
Re: How to write a new partition table over EWF files
Hey, I am facing same problem, any solution mobdro please? I am still waiting for the solution.mfrade wrote: 20 Jul 2015, 12:27 Hi,
I used testdisk 7.0 (on ubuntu 14.04 64 bits) over EWF files (with compression) of a hard disk with a damaged partition table. Testdisk was able to find the correct values of the partition table and I want to write it over my EWF files, so I can use other forensics tools (like autopsy). Is this possible?
When I ask testdisk to write the new partition table it creates a new file with extension "d01", but I don't know how to use it to correct my EWF files. Is it possible to use the d01 file to mount the EWF files with the new partition table?
Note: I can't use testdisk directly on the hard disk, because it would damage the digital evidence.
Thank you for any help/advice,
Miguel Frade
Last edited by Vicky583 on 24 Oct 2018, 11:06, edited 2 times in total.
Re: How to write a new partition table over EWF files
Hi Vicky583,
try the xmount command:
then you can use testdisk over the raw file inside the mount dir that was created by xmount:
try the xmount command:
Code: Select all
xmount --in ewf DellLatitudeCPi.E?? --out raw --cache cachefile.bin mntdir
# --in ewf DellLatitudeCPi.E?? --> input format: EWF followed by *all* image files (E01, E02, ...), ence the ".E??"
# --out raw --> output format
# --cache cachefile.bin --> cache file to simulate the write operation
# mntdir --> mount dir for the raw view of the EWF image
Code: Select all
testdisk mntdir/DellLatitudeCPi.dd