> Ah yes... the big question how to do that with Windows since Microsoft > doesn't have the equivalent to a loopback mount (none that Im aware of > though I hope to be shown that Im wrong.) Am I incorrect? Yup. Tools like PGPDisk, BestCrypt all use a pseudo filesystem/disk driver to mount a file as a drive. > The assumption HERE is that we have a "RAW NTFS image" obtained using dd.exe > (Unix Port) from the filesystem. > > 1. Either use a physical blocker on the drive if you have one. > 2. Mount using loopback in Linux'O'Choice in Read-Only mode. NTFS is R-O > by default. Then share the drive out over the network using Samba Server > and mount on examining system using file shares and map it as a new drive. > Voila! Read-Only, Sterile, NTFS solution for raw images (works with FAT > filesystem too, but make SURE you mount using the read-only option.) Or use vmware to simply boot a windows system and view it, or boot it from within vmware itself (may have hardware issues though =). Beauty with vmwareof course is you can set it to not write to the disk, allowing you to play with an image. > The question is how to you examine a NTFS filesystem in a sterile state? > Any other methods in use? vmware can be useful. Related to this I wrote an article on honeypotting with vmware, part of it covers doing the forensics http://seifried.org/security/ids/20020107-honeypot-vmware-basics.html > Rob Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ http://www.idefense.com/digest.html ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 06:44:10 PST