Simple iSCSI image mounting in C# with Arsenal Image Mounter

Over the weekend I finally took the time to dig through the source code from Arsenal for mounting forensic images. It’s been on my list for a long time so I was excited to do some hacking and see what I could come up with. Although the documentation is not good I was able to hack together some simple code for mounting a raw image using the ArsenalImageMounter library so that I can use it in my own code at some point. Their code is in vb.net which I’m not accustomed to so it felt like trying to read Italian when you speak Spanish… some stuff just doesn’t translate well.

Our team over at GC Partners has been making a lot of progress with pytsk, pyewf and other python binded libraries which is really exciting! But my heart is still with C# so I want something in .NET for some of the tools I’m working on.

If you have used ArsenalImageMounter before you probably know that you can mount images that are raw, raw sparse, expert witness formats.

So without any smoke and mirrors here is some code for mounting a RAW or Sparse RAW. This code doesn’t work for expert witness (EWF/E01) just yet..

Getting Started

For this example I took code from the ArsenalImageMounterMountTool vb project since it contains the user interface. Then translated to C# the parts of the code specific to mounting and un-mounting an image; excluding anything not specific to mounting or un-mounting.

I’m assuming proficiency with programming and some C# for this example…

Create your project in Visual Studio and add references to your project for Arsenal.ImageMounter and Arsenal.ImageMounter.Devio. I have DiscUtils and DiscUtils.Common added as well but you probably won’t need that unless you want to use discutils. To get the dll’s you will need to download the ArsenalImageMounter code and make sure to install the iSCSI driver that is distributed with it. I compiled the code but the compiled dll’s should work just fine.

RAW Image Mounting Code

using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.IO;
using Arsenal.ImageMounter;
using Arsenal.ImageMounter.Devio.Server.Interaction;

namespace ReadImage
{

private ScsiAdapter Adapter;

public void Mount(string Imagetype, string Imagefile)
{
Adapter = new ScsiAdapter();
Adapter.GetDeviceList();
Adapter.GetDeviceProperties();

var ProxyType = new DevioServiceFactory.ProxyType();

if (Imagetype == “RAW”)
ProxyType = DevioServiceFactory.ProxyType.None;
else if (Imagetype == “RAWSparse”)
ProxyType = DevioServiceFactory.ProxyType.MultiPartRaw;
else if (Imagetype == “DiscUtils”)
ProxyType = DevioServiceFactory.ProxyType.DiscUtils;
            else if (Imagetype == “EWF”)
                ProxyType = DevioServiceFactory.ProxyType.LibEwf;
else
return;
var Flags = new DeviceFlags();

try
{
uint SectorSize;

using (var service = DevioServiceFactory.GetService(Imagefile, FileAccess.Read, ProxyType))
{
SectorSize = service.SectorSize;
}

var DiskAccess = new FileAccess();

DiskAccess = FileAccess.Read;

var Service__1 = DevioServiceFactory.GetService(Imagefile, DiskAccess, ProxyType);

Service__1.SectorSize = SectorSize;

Service__1.StartServiceThreadAndMount(Adapter, Flags);

LastCreatedDevice = Service__1.DiskDeviceNumber;

}
catch (Exception ex)
{
throw ex;
}

}

Mounting synopses

What is happening above is I’m forcing a ReadOnly flag intead of making it optional. The code is setting the Sector Size to the detected SectorSize instead of giving you the option to overwrite it. If you have issues with your SectorSize you can overwrite it with something else.

Un-Mounting the Image(s)

You will need to use this code to remove the iSCSI devices or reboot your computer. I wasn’t able to detach the image like a VHD.

Since this is quick and dirty the code just looks for ALL iSCSI devices and removes them. If you have a server with iSCSI/SAN don’t run code there since it might just unmount your SAN/NAS, oops.

namespace ReadImage
{
class unmount
{
private ScsiAdapter Adapter;

public void UnMount_AlliSCSI()
{
Adapter = new ScsiAdapter();

Adapter.GetDeviceList();
Adapter.GetDeviceProperties();

Adapter.RemoveAllDevices();

}

}
}

Un-Mounting Synopsis

This force-ably un-mounts all iSCSI devices.

Wrap-up

So what you have above is a function that I pass two variables into. The first is the type of image and the second is the full path to the image. I’ve tried to rip out anything that didn’t directly get the image mounted since that’s all we care about for this exercise. Hope your enjoy and send feedback or if you have better examples you want me to link to that is even better!

Enjoy!

Dave

*I want to thank the folks at Arsenal for building and putting this library out there for the world to use.

Share

2 comments on “Simple iSCSI image mounting in C# with Arsenal Image Mounter”

    • Dave

      Coelho,
      Make sure you are using the latest Arsenal Source code and the drivers distributed with the source code and not the binary. The two are different versions (very confusing). Under the hood the reason is the iSCSI driver has a different guid identifier which causes the “not found” issue. They probably changed some underlying code that caused the identifier change. Make sure to uninstall the previous arsenal driver and reboot before installing the new one. This fixed that issue for me.

      On the downside the binary distrubution of Arsenal probably won’t work anymore. You’ll have to used the binary you compile from source going forward. It’s a newer version and works really well for me.

      Hope this helps.
      -Dave

Comments are closed.
UA-8105999-2