I have tried to open zip files and vhd’s within Autopsy. I see that a .zip file is not a file format that Autopsy will open. With that I tried to have Autopsy open a vhd without success also.
I created a vhd utilizing KAPE and the vhd opens in FTK imager just fine. When I put the vhd into Autopsy the file system is not seen. I then mounted the vhd with Arsenal Reson and pointed Autopsy at the mounted drive and Autopsy still did not see a file system.
The VHD created by KAPE appears to be correct as FTK and Arsenal Recon both can view it.
What I want to do is run KAPE against several drives, extract data and put the recovered files into a VHD for triage. The output of KAPE can be processed in Autopsy.
Autopsy can parse the ZIP and VHD but you have to run a module Embedded File extractor it is similar to what we use in FTK and Encase as Expand Compound Files.
I tried to “Add Data Source” and my source was a vhd file. Autopsy would ingest the vhd and only see a data stream.
I then tried to mount the vhd file in windows. Windows mounted fine and produced PhysicalDrive5. I then used “Add Data Source” in Autopsy pointing it to the physicaldrive5. I got this error…
Errors occurred while ingesting image
Cannot determine file system type (Sector offset: 63, Partition Type: NTFS / exFAT (0x07))
Possible Incomplete Image: Error reading volume at offset 3,554,868,736
Hi
Can you please share the screen shots of how your are mounting the VHD,
This VHD which you have created is at logical level , filesystem or physical level ?
From your post it looks you add few folders in VHD, which is logical in nature, but you are trying to add it as a physical drive 5 after mounting.
I suggest mount VHD with ftk imager at logical level then use encase imager to export a logical image in L01 FORMAT for the mounted directory and try to add it in autopsy.
Autopsy also indicated that I can put in a Data Source of e01, dd, raw, bin, vhd and vmdk…. I attempted to do that with errors.
I have attached pics utilizing ftk to mount the vhd file. The attempted to have Autopsy read the physical drive .
After some testing I found that If I mount the VHD at file system level (Logical) via FTK imager and add as Logical file sets in autopsy, then Autopsy parse it without any issue.
I have no idea why it did not parse the VHD directly, but as a workaround, mount your VHD at file system logical level and add it in autopsy as a logical file set and run the modules.
But it would be difficult to do this for a KAPE output for multiple devices.
I believe I have an answer as to why the VHD will not parse correctly. if you can find the NTFS VBR and look at the last 2 bytes of the 512 byte record you may notice that it does not have the end of sector marker (55AA big endian or AA55 little endian magic number). If you add those 2 bytes in then Autopsy and Sleuthkit will be able to find the file system and process it. I have tested it and it does work. Not sure why that would be missing but it did fix a test KAPE VHD file I created that would not process. I had the same error as was reported, once I added those 2 bytes I was able to process it and see everything.
Wow how weird is that… All the other tools rendered the vhd correctly. wonder if Brian can have his guys fix it or does the VHD creation need to be created differently ?... Thanks
I do not believe that is something that should be changed in TSK as it is a validation check for the file system. The better question would be why other tools are ignoring it. When I create a VHD thru disk mgmt it creates the VBR correctly with the end of sector marker, this is the first time I have seen this behavior. Not sure how Kape is creating the VHD, maybe that is the issue.
i made both vhdx and vhd, mounted and not, and i didnt see anything change in that regard.
i was able to mount the disk in arsenal image mounter (the vhd) and windows of course handled the vhdx without issue.
based on how windows behaves, i would say relaxing things makes the most sense
I can follow up with the project that i use to make the VHDx files to see if i missed calling something to add it, but based on the fact windows does not care, things should be relaxes as IMO, if it works in windows, it should work in other tools.
if i find out anything from the project and can call something to add that signature, ill do so and report back here.
