> Ah yes... the big question how to do that with Windows since Microsoft
> doesn't have the equivalent to a loopback mount (none that Im aware of
> though I hope to be shown that Im wrong.) Am I incorrect?

Yup. Tools like PGPDisk, BestCrypt all use a pseudo filesystem/disk driver
to mount a file as a drive.

> The assumption HERE is that we have a "RAW NTFS image" obtained using
dd.exe
> (Unix Port) from the filesystem.
>
> 1. Either use a physical blocker on the drive if you have one.
> 2. Mount using loopback in Linux'O'Choice in Read-Only mode. NTFS is R-O
> by default. Then share the drive out over the network using Samba Server
> and mount on examining system using file shares and map it as a new drive.
> Voila! Read-Only, Sterile, NTFS solution for raw images (works with FAT
> filesystem too, but make SURE you mount using the read-only option.)

Or use vmware to simply boot a windows system and view it, or boot it from
within vmware itself (may have hardware issues though =). Beauty with
vmwareof course is you can set it to not write to the disk, allowing you to
play with an image.

> The question is how to you examine a NTFS filesystem in a sterile state?
> Any other methods in use?

vmware can be useful.

Related to this I wrote an article on honeypotting with vmware, part of it
covers doing the forensics

http://seifried.org/security/ids/20020107-honeypot-vmware-basics.html

> Rob

Kurt Seifried, kurtseifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
http://www.idefense.com/digest.html

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]