Overview
When performing disk forensics, I think it's often the case that the target disk is handled in .E01 format.
Since it is somewhat compressed, the size becomes smaller, and it is easier to handle, so it has become the de facto standard in this industry. (Although I feel that there are many tools that do not support it.)
Basically, I proceed with the analysis by collecting artifacts from this .E01 format file, but depending on the situation, there are times when I want to boot the OS and directly tinker with it.
For example, when I want to actually run malware on the investigation target environment and observe its behavior, or when I want to run investigation tools (like Autoruns).
I haven't tested it, but I think this method will generally work even if it's not an .E01 file.
For details, read the "Disk Image Support" section at the link below.
https://arsenalrecon.com/arsenal-image-mounter-aim-walkthrough
There are paid tools specialized for such purposes, like VFC, but it is also possible to handle it by using the Free version of Arsenal Image Mounter, which is provided by Arsenal Recon. In addition, with the Professional version, it seems that mechanisms that allow you to start virtual disks more easily are available.
Operating Environment
VMware Workstation Pro 17.5.2
Arsenal Image Mounter 3.11.293
Procedure
Mounting the Disk
After starting Arsenal Image Mounter, click Mount Disk Image at the bottom left and select the .E01 file you want to boot.
You will be asked various things, but select Disk device, write temporary at the top.
Also, select Specify alternate differencing file location and save it in an appropriate place.
By doing this, you can make changes without modifying the original E01 file, and extract the differences as a separate file.
Next, select Advanced > Offline Disk from the top toolbar.
Then, I think the Online/Offline column has become Offline.
With this, you have mounted the .E01 file as a physical disk.
Booting with VMware Workstation
When starting VMware Workstation, be sure to run it as administrator.
Otherwise, the disk mounting will fail.
Create a new VM and select Custom (advanced).
Basically, you can just keep clicking Next, but I will note some points to be careful about.
For Firmware Type, it depends on the settings of the .E01 file, so choose one intuitively.
If it doesn't boot, try changing the settings later.
For Network Connection, be sure to select Do not use a network connection.
Otherwise, as soon as it boots, malware communications might go somewhere and cause a big problem.
It's common (really) for incident responders to cause incidents themselves, so please be careful. When you gaze into the incident, the incident gazes into you.
In Select a Disk, check Use a physical disk and select the mounted .E01.
If you don't know the disk number, check with diskpart or Disk Management.
So, after creating the VM and clicking the start button, it worked.
You can either unlock the password with effort, or politely ask the original owner.
Conclusion
Arsenal Image Mounter is a very useful tool.
In particular, being able to write-mount without modifying the original file is wonderful, and it's handy when you want to run antivirus software, so I think it's worth having one in every household.
This article was translated by ChatGPT o1-preview.
Original Post(Japanese): https://zenn.dev/sum3sh1/articles/08fe13c70d5b24
Reference Sites
https://www.reddit.com/r/computerforensics/comments/u80g7c/no_boot_after_conversion_of_e01/
Top comments (0)