Transferring ISOs from an XBOOT USB drive to Easy2Boot

If you already have an XBOOT USB drive containing linux ISO files, you may have found that when you copy them to your Easy2Boot USB drive, they don't work.

This is because XBOOT modifies the ISOs. For a typical linux ISO, XBOOT will extract the files from the casper folder of the ISO file and then copy them to a subfolder under the \images folder on the USB drive. XBOOT also modifies the \isolinux\isolinux.cfg file contents (inside the ISO file) to add some cheat codes which will direct the linux kernel to load the squashfs files from a different folder, e.g.

label driverupdates=Use driver update disc
append driverupdates=debian-installer/driver-update=true

is converted to:

label driverupdates=Use driver update disc

append driverupdates=debian-installer/driver-update=true ignore_uuid live-media-path=/images/fdraptor/casper

The cheat codes added by XBOOT may work for some linux distros (or versions) but not for others. This is why it is 'hit-or-miss' as to whether XBOOT will work or not with 'unsupported' ISOs.

To move these XBOOT converted ISOs to an E2B USB drive we need to:

1. Copy the whole \images folder from the XBOOT drive to \images on the E2B drive

2. Move the ISO files to the \_ISO\MAINMENU folder

So if we had 'fdraptor' on our XBOOT drive, we would now have an E2B drive with these folders:

• \images\fdraptor\casper\ - several files including filesystem.squashfs (700MB)
• \_ISO\MAINMENU\fdraptor.iso (32MB)

As many linux initial kernels do not support NTFS, XBOOT does not work well on an NTFS drive. If you use these files on an E2B drive, the E2B USB drive needs to be formatted as FAT32 and not NTFS.

Of course, you can just download the original ISOs from the web and copy them to your E2B drive (even on an NTFS E2B drive) and it should work just fine.

The other alternative is to make a .imgPTN file from the XBOOT USB drive by dragging-and-dropping the drive letter onto the MPI_FAT32 desktop shortcut.

Make a 'Forensics To Go' 32GB USB Flash drive

If you have a 32GB or larger USB pen and want a ready-made 'Forensic' multiboot USB Flash drive, try the (virtual disk) image provided on 'Hacking Exposed' by David Cowen\Kevin Stokes.  Download is here.

This USB disk image contains two FAT32 partitions, with XBOOT installed ISOs of...

• SIFT 2.14
• Kali Linux
• Paladin 5
• Raptor 3

on a hidden 2nd partition, and 4GB-worth of the following portable apps and tools on the first partition (which is visible to Windows):

Documents
analyzing-malicious-document-files.pdf
log2timeline-cheatsheet.pdf
Memory-Forensics-Cheat-Sheet-v1.pdf
Network Forensics Cheat Sheet.pdf
SANS-DFIR-Poster-2012.pdf
sbag.users.guide.v.0.24.pdf
SIFT Cheat Sheet and DFIR Curriculum.pdf
USB-Device-Tracking-Artifacts.pdf

Linux Tools
TZworks_64bit
TZworks_32bit
Truecrypt

Mac Tools
FortiClient_Installer.dmg
nmap-6.40-2.dmg
TrueCrypt 7.1a Mac OS X.dmg
TZworks

Portable Apps
PortableApps.com
2XClient
7-ZipPortable
AbiWordPortable
AntRenamerPortable
AutorunsPortable
BabelMapPortable
cdrtfePortable
ClamWinPortable
CommandPromptPortable
ConverberPortable
CrystalDiskInfoPortable
CubicExplorerPortable
DaphnePortable
DatabaseBrowserPortable
EraserPortable
EraserDropPortable
Explorer++Portable
FileAlyzerPortable
FileZillaPortable
FoxitReaderPortable
FrhedPortable
GetSudokuPortable
GoogleChromePortable
grepWinPortable
HDHackerPortable
HijackThisPortable
HWiNFOPortable
InfraRecorderPortable
IniTranslatorPortable
IrfanViewPortable
JkDefragPortable
KasperskyTDSSKillerPortable
KchmViewerPortable
KeePassPortable
KeepNotePortable
KiTTYPortable
McAfeeStingerPortable
Monster2Portable
CamStudioPortable
ChecksumControlPortable
ConvertAllPortable
DiffpdfPortable
Notepad++Portable
PasswordGorillaPortable
PeerBlockPortable
PidginPortable
ProcessExplorerPortable
ProcessHackerPortable
ProcessMonitorPortable
PuTTYPortable
PWGenPortable
RegshotPortable
SIWPortable
SkypePortable
SmartDefragPortable
SpybotPortable
SQLiteDatabaseBrowserPortable
SqlitemanPortable
StickiesPortable
SumatraPDFPortable
SystemExplorerPortable
TeamViewerPortable
ThunderbirdPortable
Toucan
UUID-GUIDGeneratorPortable
VLCPortable
WhoDatPortable
WindowsErrorLookupToolPortable
winMd5SumPortable
WinMTRPortable
WinSCPPortable
WiseDiskCleanerPortable
WiseProgramUninstallerPortable
WiseRegistryCleanerPortable
xpyPortable
CppcheckPortable
KompoZerPortable
NetHackPortable
PeaZipPortable
qBittorrentPortable
RevoUninstallerPortable
PortableApps.comLauncher

Windows Tools
volatility-2.3.1.standalone.exe
WiresharkPortable-1.10.5.paf.exe
Imager_Lite_3.1.1
NirSoft Tools
Password Tools
rrv2.8
Scalpel-2.0
SysinternalsSuite
Tools that require Install
TZworks 32bit
TZworks 64bit
USB Write - EnableProtect
Woanware

To make this USB Flash drive

You need a 32GB or larger USB drive.

1. Download the 8GB (!) USB_Multiboot.zip file from the blog here or the updated image here.

2. Extract the 30GB 'USB image for download.img' file to your system hard disk using 7Zip (or similar utility)

3. Run RMPrepUSB and insert your 32GB (or larger) USB Flash drive

Select the 32GB USB Flash drive in the top drive selection box and click on the File->Drive button.

Enter 1SEC for the file start sector (see screenshot), 0 for the USB start sector and 0 for the length.

After 10 -30 minutes you will have a bootable USB flash drive.

The image is from a 32GB USB Flash drive made using XBOOT. If you wish to add more files to it using XBOOT, you can must first change the partition order over as follows:

1. Run RMPrepUSB and select the 32GB drive

2. Type CTRL-O and select partition 2 when prompted

This will swap over the partitions and make visible the XBOOT 1st FAT32 partition containing the (modified) ISO files:

• fdraptor.iso
• hirensbootcd.iso
• paladin.iso
• siftworkstationrevusb.iso

You should now be able to run XBOOT and modify the contents.

When you have finished testing the USB drive, use RMPrepUSB - Ctrl-O to change back the partitions and make the applications partition visible to Windows again.

You can either boot from this USB drive on a 'live' system or boot from it (or the original .img file) with the 'target' hard-disk image in VirtualBox.

Note: XBOOT modifies the .ISO files and extracts and removes the squashfs (casper) files into a subfolder under \images. Therefore these .iso files cannot just be 'dropped' onto an Easy2Boot drive as they will not boot correctly. These XBOOT ISOs can be used if you copy the whole \images folder from the XBOOT partition to the root of a FAT32 E2B USB drive (not NTFS - it won't work!) and then move the .iso files to the \_ISO\MAINMENU folder (i.e. the E2B drive will contain a \images folder with subfolders).

Of course, you can download the original ISOs from their websites and simply add them to your Easy2Boot USB drive.

Note: There is a later download here which may have some of the files missing (I have not tested it).

Easy2Boot .mnu files

Usually, when adding payload files to Easy2Boot, you just need to copy the file over and make sure it is contiguous. In some cases you may need to modify the file extension slightly too. However, for some 'special' payload files or if you want persistence when booting from linux ISOs, we need to use a .mnu file.

Below is a list of some of the .mnu files that can be found in the \_ISO\docs\Sample mnu Files folder of the Easy2Boot download in v1.25. More may be added to later versions, so always check for new examples!
Instructions on how to use .mnu files can be found by opening them in Notepad and reading the instructions within.

Easy2Boot v1.61 released

Changes from v1.60 are:

• .mnu files for Windows Install ISOs menu entries in the Main menu can now be added by the user which can specify both the .ISO file AND the .XML file to use. See the $$AddWin2Main.mnu sample menu. This means a Windows Install ISO will boot without the user needing to choose a specific XML or Key file.
• New grub4dos version
• Menu heading positions have been altered - menu headings are now left-aligned instead of being centred. STRINGS.txt files updated.
• HEADPOS variable is now easier to use (can place the menu heading on any line just by changing HEADPOS). See here for details.
• Help Footer text at the bottom of the screen is no longer padded out by HPAD, so now HBTM determines it's absolute position in the menu. See here for details.
• \_ISO\docs\mythemes and \_ISO\docs\Templates files updated
• \_ISO\Sample_MyE2B.cfg file updated (for HEADPOS, HBTM)
• Italian language files added (thanks to Fabrizio)
• German language STRINGS.txt improved (thanks to Frettt).
• FreeDOS bootable floppy disk image changed (some FreeDOS utilities added)
• Some superfluous files deleted from \_ISO\e2b\firadisk folder
• Support for .isonousb and .imgnousb/.imanousb file extensions added - see here for details
• Sample .mnu files added: DOS_ISONoUSB.mnu and DOS_IMAnoUSB.mnu, CentOS7_FAT32_ISO.mnu, Fedora20_FAT32_ISO.mnu
• isoboot.g4b added to boot some non-contiguous linux ISOs, See here for details.

If you are using a MyE2B.cfg file and your own background, you may find you need to change the HEADPOS and HBTM values in your MyE2B.cfg file.

isoboot.g4b

If an ISO is not contiguous, E2B will try to copy the contents of the ISO to \_ISO\CONTIG.ISO which is 500MB in size by default. If this fails for some reason (e.g. CONTIG.ISO has been deleted to save space or the ISO is bigger than the size of CONTIG.ISO) then E2B will now use the isoboot.g4b batch script to attempt to boot directly from the linux ISO file by loading it into memory and using linux 'cheat codes' to boot it. This may not work for all versions of linux and it will only boot to the default 'live' version (no full boot menu is displayed).

MPI Update pack 0.016/0.017 now available

Some more tweaks for using a USB drive as the payload source and also for using your own custom menu.lst file (which you should put in the CUSTOM folder).

0.016 had a minor bug where is listed all the modified menus on the screen, please use 0.017 or later.

By adding your own menu.lst and background file, etc. in the CUSTOM folder, you can change the look of the CSM Menu. Just make sure to use the csm\menu.lst file as a template. When you update MPI, you will not overwrite any of your files in the CUSTOM folder.

I have now made new images of different USB Flash pens that were made using the following programs

• YUMI
• PenDriveLinux Universal USB Installer
• XBOOT (make using Syslinux and use the 'Replace menu.lst' option when asked)
• SARDU
• WinSetupFromUSB (use the 'Combine menu.lst' option when asked)
• LiveUSBCreator (with persistence)
• Rufus

These images all seem to work OK.

So now on my E2B USB Hard Disk, I can boot from almost any ISO or any image I like and, if supported, in UEFI mode too!


There are 10 types of people in the world the other 8 aren't programmers...

MakePartImage Update Pack v 0.011 available

I have been unable to find an extraction program that works for all ISOs that is free, unlimited and distributable. MPI v 0.011 uses 7Zip by default, but if that fails, it uses the user-installed version of either WinRAR or PowerIso if present).

Thanks for the suggestions for alternatives, I have checked 26 of them so far and none fit the bill. They are either not free or are limited Trialware, don't extract UDF ISOs correctly, cannot be legally distributed or don't accept command line parameters.

The other change is that there is now a CUSTOM folder. Any files you place in this folder will get copied to any .imgPTN file that you create. This allows you to customise each image.
For instance, you can modify the menu.lst file and create a new background for the CSM menu and place the new files in the CUSTOM folder. This will overwrite the files used by MPI.
You could also add any utilities, etc. to the CUSTOM folder (or make a subfolder) so that every image would contain your utilities.

This means I can release new updates which can overwrite your existing folder, but it won't overwrite your files in the CUSTOM folder.

P.S. The only one which did seem to extract ISOs correctly was: ISO Workshop (free but no command line support yet for extraction). Notably, Windows 8.1 Explorer, 7Zip and WinRAR all fail to show the correct contents with some ISO file formats!
A good test is to try extracting the antergos-2013.11.17-i686.iso file. It should work and not be in all uppercase (one of the files in \arch\boot is in mixed case).  PowerISO (trial), WinZip(trial) WinISO(trial) and UltraISO(trial) failed with this one. PeaZip and 7Zip shows lowercase files but these fail on UDF ISOs. ISO Workshop also shows lowercase files and mixed-case files.

P.S. Do you sometimes use YUMI, XBoot,  LiveUSBCreator, PenDriveLinux, SARDU, Rufus, WinSetupFromUSB, etc. Well why not add all of your USB drives to one large E2B drive! Just make an .imgPTN file from each USB stick and then add the files to E2B. Just make sure to use the E2B CSM menu.lst file (or choose the Combine option if prompted).