Saturday, August 15, 2009

Devio: Remote drive access and acquisition

Back when I was writing the Focus on Forensics Linkfest post, I mentioned a handy little freeware tool.

It works on all Windows systems I currently use: XP/Vista/Win7 in both x32/x64 bits along with Windows Server.  (Though UAC must be turned off in both Vista/Win7 or or setup the driver to auto-load on system startup. as explained on the program page. And for 64 bit systems, testsigning must be turned on.)

Anyway…..

I like it as it allows me to mount several different “image” files (including IMG/dd image captures) as physical drives for direct access in Windows Explorer (or other file-managers).  That is SO handy!

I also figured out it adds a “Control Panel” item as well for fine-tuning settings and access. Sweet.

image

Anyway….this post is specifically about the “extra” feature.

While actually reading the page-post for ImDisk I finally caught this part;

The install package also contains a user-mode helper service that enables the virtual disk driver to forward I/O requests to other computers on the network. This makes it possible to boot a machine with NTFS partitions with a *nix Live-CD and use the included  devio tool to let ImDisk on another computer running Windows on the network mount the NTFS partition on the machine you booted with the *nix Live-CD. This way you can recover information and even run chkdsk on drives on machines where Windows does not boot. I am working on a Live CD image with devio and other useful things for this pre-loaded. Will publish that one for download soon.

Devio? 

What’s that and what has it got to do with ImDisk?

From what I could tell from the description above and this devio - read and write block devices *nix page, when executed on a remote system, ImDisk can then be used to connect to the system and mount the indicated volume or physical drive as a local “virtual” drive letter over a network.  OMG!

But, though I am quite comfortable working on Linux systems, particularly LiveCD distros, Win PE 2.0/3.0 is really where my daily grinds occur.

I could have really used this tool to remote mount and access systems that were borked, or if a technician needed particular assistance from the field, or maybe image captures for incident-response.

Too bad.

But Wait! There’s More!

The ImDisk developer (Olof Lagerkvist) actually does have a Windows CLI port of devio!  You just have to know where to look!

You can download devio.exe for Windows here: http://www.ltr-data.se/files/devio.exe

That was actually found on this Boot-Land Forum post where Olof maintains information on devio as well as ImDisk.

Using Devio & ImDisk & Win PE 3.0

I’m using my Custom Win PE Boot Disk but a Win PE 2.0 (Vista) or even Win PE 1.0 (XP / BartPE) should work fine. I also wonder (but haven’t yet tried) if the Windows FE disk would also work. Probably so with a few extra commands.

This assumes that ImDisk has been loaded and installed on the “local/host” Windows system you will be mounting the “remote/target” system running devio on as a local drive-letter.

Also, while I am “off-line” booting a Windows system with my Win PE disk, you could also easily run devio on a normally running (Live) Windows system as well and access accordingly after a few adjustments in the steps below.

  1. Boot the remote system with your Win PE boot disk and/or a USB stick that has devio on it.  In my case, I run Win PE 3.0 from a bootable USB stick for fastest booting and convenience for adding applications such as devio.

  2. Once up, you need to disable the Win PE firewall to open up the port that devio will use to communicate on.

  3. Open up a Command Prompt window and type wpeutil DisableFirewall  then press <enter>

  4. Browse to where your Windows devio.exe file is then figure out what you want to mount.

    1. I run DISKPART and then the command LIST DISK to figure out what the physical drives are. (Type exit to get out of DiskPart.)

  5. You will also need to know the IP address of the system you are running devio on.  I just type "ipconfig” to get that information.

  6. Now, from the command line, type any of the following commands, depending on what you want to accomplish:  (quoting from Post #2)

      If you have a disk D: that you would like to connect to from another machine, type the following on the server-end machine:  
      devio 9000 \\.\D:
      If you want read-only operation so that you don't accidentally destroy anything:
      devio -r 9000 \\.\D:
      If you attach to a PhysicalDriveN object you can enter partition number to use:
      devio -r 9000 \\.\PhysicalDrive1 2
      This will use partition 2 on disk 2

  7. Note: for my systems at work that generally only have a single drive and a single partition, to get the whole drive to access/image (say via a Win PE boot) use:
    devio –r 9000 \\.\PhysicalDrive0

  8. Hopefully it launched correctly and is running as follows.  Just leave this window open as long as you need to access this particular system drive, or minimize it if desired.
    image

  9. Then, to attach to it from the client machine using ImDisk (must be installed), open a command-prompt use the following syntax:
    imdisk -a -t proxy -o ip -f nnn.nnn.nnn.nnn -m R:
    Change nnn.nnn.nnn.nnn to your IP address from step 5 above.

  10. If all goes well, depending on the network connection and/or your system speed, ImDisk will launch, connect to the remote devio session and mount the drive as a local drive letter.

You can now access the drive to copy files from, use ImDisk to grab an IMG format image of the drive, or (if you didn’t use the –r “read-only” switch, you can copy/move/delete files and perform other actions on the files).

image

To end the session, just either press Ctrl+C on the remote system or dismount from the local ImDisk options and/or control panel item.

I would recommend using the “read only” settings when accessing/mounting attached images until you are very familiarized with the utility and navigating between the systems.  That way you can be sure not to accidently flub something up critically.

Devio is a cool little tool that when combined with ImDisk and some know how can really expand the options in accessing remote Windows disks/volumes.

Just use it carefully and wisely.

Here is more linkage to study this nice little daemon.

Like I said, it could be useful…

--Claus V.

3 comments:

Anonymous said...

Hi, just a question:

Does devio unmount the local drive?
otherwise both pc's could write to the same device?!?

ps: thanks for this great blog!
yours
rh

Claus said...

@rh - it was not my experience that the local drive was unmounted by devio.

Assuming the Windows devio.exe was executed on the local system with sufficient privileges with the user account rights, then I guess all sorts of naughtiness could ensue.

Granted, my particular focus for use was only for down-n-dirty remote support/recovery via a WinPE type interaction...rather than running it on a "live" system with the user account possibly doing additional work (if I am understanding your question correctly). So I wasn't too concerned about both locations writing to the same source/device.

If that is a concern, I'm sure you caught the following in the post:

"...if you didn’t use the –r “read-only” switch, you can copy/move/delete files and perform other actions on the files."

So use the -r argument to ensure you don't do an accidental change to the target device that is running Devio.

Does that make sense?

Cheers

--Claus V

Travis B Creighton said...

A great tool to simplify the use of GUI based tools on remote machines that have an AMT version less than 6.0.