root@azazel:/mnt/carvfs/524a4efcaa84cf7391705b2b292644a6# strings CarvFS/0:1024.crv
NO NAME FAT16
I'll leave you to work out why this is useful; alternatively you can also read my "Memory Card Forensics" post. Here is how I installed CarvFS:
Downloaded the source packages for CarvFS, libcarvpath, libewf and fuse. They can be found here:
There's no specific order, but make sure that libewf, fuse and libcarvpath are installed before CarvFS.
I believe fuse should already be running as a kernel module in 7.04, so the kernel module will not be built.
Then, once you install CarvFS, you're pretty much ready to go. I had one problem when I ran carvfs I received a library not found error for libfuse.so.2. The library itself was in /usr/local/lib, but there was no entry in /etc/ld.so.conf. So I added the entry and ran ldconfig and all was well.
How will you test CarvFS? First, you will need either a raw 'dd' image or an EWF image. libewf will install a tool called 'ewfacquire' which you can use to make EWF images. Here is an excerpt of one of my sessions:
sheran@azazel:~/Personal/research$ ewfacquire /dev/sdb1
ewfacquire 20061223 (libewf 20061223, zlib 1.2.3, libcrypto 0.9.8)
Information about acquiry required, please provide the necessary input
Image path and filename without extension: usbdisk
Case number: 1923
Description: USB Disk
Evidence number: 12
Examiner name: Sheran
Notes: 64Mb USB Disk used for Forensics tests
Media type (fixed, removable) [fixed]: removable
Use compression (none, fast, best) [none]: best
Use EWF file format (smart, ftk, encase1, encase2, encase3, encase4, encase5, linen5, ewfx) [encase5]:
Start to acquire at offset (0 >= value >= 65135616) :
Amount of bytes to acquire (0 >= value >= 65135616) :
Evidence segment file size in kbytes (2^10) (1440 >= value >= 2097152) :
The amount of sectors to read at once (64, 128, 256, 512, 1024, 2048, 4096) : 512
The amount of sectors to be used as error granularity (1 >= value >= 512) :
The amount of retries when a read error occurs (0 >= value >= 255) :
Wipe sectors on read error (mimic EnCase like behavior) (yes, no) [yes]:
It goes on to acquire an EWF image of my 64Mb USB Disk.
The next step would be to mount it. Create a mount point for it first. I use /mnt/carvfs.
sheran@azazel:~/Personal/research$ sudo carvfs /mnt/carvfs ewf usbdisk.E01 /mnt/carvfs/fad545a8c4c86973eb0ae33da06e9c80
Now that the image is mounted, switch to the root prompt (I wasted some time on this one) and then go into the mounted image:
root@azazel:/mnt/carvfs/fad545a8c4c86973eb0ae33da06e9c80# ls -alrt
-rw-rw-rw- 1 root root 2545 1970-01-01 04:00 README
-r--r--r-- 1 root root 1397 1970-01-01 04:00 ocfa.xml
-r--r--r-- 1 root root 65135616 1970-01-01 04:00 CarvFS.crv
d--x--x--x 3 root root 0 1970-01-01 04:00 CarvFS
drwxr-xr-x 3 root root 0 1970-01-01 04:00 .
drwxr-xr-x 5 root root 4096 2007-06-18 17:43 ..
I then ran a strings on the first 512 bytes like so:
root@azazel:/mnt/carvfs/fad545a8c4c86973eb0ae33da06e9c80# strings CarvFS/0:512.crv
NO NAME FAT32 3
Remove disks or other media.
Press any key to restart
That's about it.
I know my instructions probably suck big time, but I didn't want to waste too much time in actually telling you how to do some of the other things. Anyway, if you're sniffing around CarvFS you probably know how to do most of the stuff anyway. If, however, you still want to know stepwise details, drop me a comment or mail me.