Case Study: Imaging a Windows Tab with Kali Linux over the Shared Network Folder.

Although this case might not be very new, but I’m sure many of us would benefit from this case study while performing a forensic imaging someday in a comparable situation as explained in the following paragraph. My intention is to share the knowledge so as the community benefits and many times the idea is not very innovative, but still helps if we have already heard or have read about it.

Two days back I received a call from one of our clients and he explained the following situation. There was a Tab of a well-known brand which had only one USB port and it had to be returned ASAP. The client wanted to image it before it was sent back, and he live booted it using Kali Linux using a USB hub. He connected the External HDD but found out that the hub was unable to supply sufficient power to this external HDD and thus was not able to power it up!

Given the urgency of returning the device, he had extremely limited time and resources at that point in time, so I suggested him to connect the Tab on Wi-Fi and at the same time use one of the windows desktops available to connect to the same network. We shared one of the folders from the Windows Machine and then mounted it on to the Kali Linux already booted on the tab (using external boot device). The DD image of the Tab was then made on this shared network folder as destination folder.

Below are the commands that enables us mounting the shared folder from a windows machine just in case anyone wants to use it in future during the similar situation.

Step 1: Share the Windows folder:

a)    Right Click on the desired folder.

b)    Select “Sharing” tab.

c)    Click on “Share” button.

d)    Select the user and click on the small dropdown (need to assign “Read/Write” rights).

e)    Click on “Read/Write” option.

f)    Click on “Share” button.

Step 2: Open terminal in Kali Linux and run below commands:

a)    sudo apt update – (Downloads updates)

b)    sudo apt install cifs-utils – (Installs CIFS Utilities required for network drive mounting)

c)    sudo mkdir /home/kali/Network_Drive – (Creates folder named “Network_Drive” in Home/Kali directory)

d)    sudo mount -t cifs -o username=<win_share_user> <SERVER_IP>/<share_folder_name> /home/kali/Network_Drive

e)    Once above command runs, the terminal will ask you for the password of windows user. Type the password and hit “enter”.

If the above commands are successful, you’ll see the folder named “Network_Drive” under “Devices” in Kali Linux.

Once this is successfully done, use your Kali utilities to create the image and provide the destination folder as the newly mounted network folder. It may happen that sometimes the write permissions are to be provided separately, but these issues will be required to be handled situation wise, however for most of the time above solution works!

Hope this will be of use to some of you.