How do I mount with cygfuse bdemount build?

[signal3436]

Hello,

I used Cygwin (installed all modules) to compile. When I run bdemount.exe in an admin cmd window to mount a BDE volume from a raw image, there is a slight pause but nothing is mounted to the specified drive letter. This occurs when using both the password and recovery options. When I try to use the FVEK option, I get errors:

---

P:\bdemount>bdeinfo P:\image.raw bdeinfo 20240223

Volume is locked and a password is needed to unlock it.

Password:

Unable to unlock volume.

BitLocker Drive Encryption information: Volume identifier : abbda335-f434-420c-b97e-5dc2fac4bf74 Encryption method : AES-XTS 128-bit Creation time : Mar 21, 2024 17:32:18.237762100 UTC Description : DESKTOP-B8H4DIM C: 3/21/2024 Number of key protectors : 3 Is locked

Key protector 0: Identifier : 49941cc7-a594-4ce9-be12-9e8d3007d356 Type : Password

Key protector 1: Identifier : d76929dc-6ab0-4f9c-bcd2-1be14f2bfca3 Type : Startup key

Key protector 2: Identifier : c92a358a-291f-42e0-ae44-617fc8f0a426 Type : Recovery password

---

P:\bdemount>bdemount.exe -p P:\image.raw X: bdemount 20240223 --> it pauses and I get the command prompt, nothing mounted

P:\bdemount>bdemount.exe -r P:\image.raw X: bdemount 20240223 --> it pauses and I get the command prompt, nothing mounted

P:\bdemount>bdemount.exe -k P:\image.raw X: bdemount 20240223

Unable to open source volume libbde_ntfs_volume_header_read_data: invalid volume system signature. libbde_io_handle_read_unencrypted_volume_header: unable to read NTFS volume header. libbde_internal_volume_unlock: unable to read unencrypted volume header. libbde_internal_volume_open_read: unable to unlock volume. libbde_volume_open_file_io_handle: unable to read from file IO handle. mount_handle_open: unable to open volume.

Here are the first 1024 bytes of the volume: 1024 bytes.txt

[joachimmetz]

Can you provide the offset and data of the unencrypted volume, looks like you sent me the encrypted volume header

Also see: https://github.com/libyal/libbde/wiki/Troubleshooting#verbose-and-debug-output

[signal3436]

I compiled with the Verbose and debug output, but when I run the commands with -v, there is no output anywhere.

[signal3436]

My apologies - I typed the -v command in the wrong place. Attached is the output.

output_-k.txt output_-p.txt output_-r.txt

UPDATE: So I realized Volatility only provided half the FVEK. When I provided the entire key the same behavior results - a quick pause and back to the command prompt with nothing mounted.

[joachimmetz]

thanks but you'll need to rebuild the library with the verbose/debug output options otherwise the output is not sufficient detailed also see https://github.com/libyal/libbde/wiki/Building#verbose-and-debug-output

also make sure to remove any sensitive data, I'm mostly interested in what is causing the signature check to fail

[signal3436]

thanks but you'll need to rebuild the library with the verbose/debug output options otherwise the output is not sufficient detailed also see https://github.com/libyal/libbde/wiki/Building#verbose-and-debug-output

also make sure to remove any sensitive data, I'm mostly interested in what is causing the signature check to fail

It's all test data so there's nothing sensitive.

Are the attached logs not sufficient? I'm using the "> filename.txt 2>&1" command.

[joachimmetz]

Are the attached logs not sufficient? I'm using the "> filename.txt 2>&1" command.

they are empty unfortunately, given verbose/debug option has not been compiled

[signal3436]

Are the attached logs not sufficient? I'm using the "> filename.txt 2>&1" command.

they are empty unfortunately, given verbose/debug option has not been compiled

I re-uploaded, so each should be 80k.

[joachimmetz]

thanks looks better, will try to get taking a closer look soon, but have to deal with another thing first.

[signal3436]

thanks look better, will try to get taking a closer look soon, but have to deal with another thing first.

No worries at all. I really appreciate your help!

[joachimmetz]

output_-k.txt

libbde_ntfs_volume_header_read_data: NTFS volume header data:
00000000: fe 1c cd ae 13 ec 33 e3  17 98 b6 63 73 12 e3 b8   ......3. ...cs...
00000010: c8 5e 7e e1 1e fa 5f cc  06 9a f4 f4 39 a1 71 16   .^~..._. ....9.q.
00000020: 7d 03 36 e3 b9 ab 38 6a  75 20 ec 9f 26 f1 2c 8d   }.6...8j u ..&.,.
00000030: 7d 08 ec 9e f6 f6 a8 af  2d 88 28 c1 d0 0d 92 ee   }....... -.(.....

output_-p.txt

libbde_ntfs_volume_header_read_data: NTFS volume header data:
00000000: eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00   .R.NTFS     .....
00000010: 00 00 00 00 00 f8 00 00  3f 00 ff 00 00 b8 11 00   ........ ?.......
00000020: 00 00 00 00 80 00 80 00  53 8f bb 0e 00 00 00 00   ........ S.......
00000030: 00 00 0c 00 00 00 00 00  02 00 00 00 00 00 00 00   ........ ........
00000040: f6 00 00 00 01 00 00 00  06 c6 a7 12 fc a7 12 70   ........ .......p

output_-r.txt

libbde_ntfs_volume_header_read_data: NTFS volume header data:
00000000: eb 52 90 4e 54 46 53 20  20 20 20 00 02 08 00 00   .R.NTFS     .....
00000010: 00 00 00 00 00 f8 00 00  3f 00 ff 00 00 b8 11 00   ........ ?.......
00000020: 00 00 00 00 80 00 80 00  53 8f bb 0e 00 00 00 00   ........ S.......
00000030: 00 00 0c 00 00 00 00 00  02 00 00 00 00 00 00 00   ........ ........
00000040: f6 00 00 00 01 00 00 00  06 c6 a7 12 fc a7 12 70   ........ .......p
00000050: 00 00 00 00 fa 33 c0 8e  d0 bc 00 7c fb 68 c0 07   .....3.. ...|.h..

[joachimmetz]

Looks like output-p.txt and output-r.txt are able to decrypt the volume. Which version of Dokan are you using?

[signal3436]

Looks like output-p.txt and output-r.txt are able to decrypt the volume. Which version of Dokan are you using?

v2.0.5

[joachimmetz]

The issue you are encountering might be due to changes in Dokan 2.0 and later, I'll have a look later this week to see if I can add support. If you need it urgently you might be able to make the changes yourself based on https://github.com/libyal/libewf/commit/8abd6a9f79a3e942080c639a3705ea7da94a3efc

[signal3436]

I installed various versions of Dokan and I still can't get the image to mount.

Just so I'm clear and not doing anything wrong: -- I have bdeinfo.exe/bdemount.exe compiled in libbde\bdetools\ .libs -- I have cygbde-1.dll compiled in libbde\libbde\ .libs -- These three files were copied into a folder C:\bdemount

When I first ran bdemount.exe, I received error messages stating the following dlls were needed: --cygcrypto-3.dll, cygfuse-2.8.dll, cygwin1.dll, cygz.dll and winfsp-x64.dll

After these dlls were copied into C:\bdemount, the .exe ran (evidenced by the log files) but the image won't mount regardless of the Dokan version installed (v0.x, v1.x, v2.x).

Am I missing/omitting/screwing up a crucial step?

[joachimmetz]

cygfuse is not the same as Dokan, these are 2 different backends

how did you compile libbde and bdemount? with Visual Studio (+Dokan) or cygwin (+fuse)?

I assume the latter given your file names, but double checking

[signal3436]

cygfuse is not the same as Dokan, these are 2 different backends

how did you compile libbde and bdemount? with Visual Studio (+Dokan) or cygwin (+fuse)?

I assume the latter given your file names, but double checking

Yes, Cygwin (with every module installed).

So I need to compile with VS to get it to mount properly?

[joachimmetz]

So I need to compile with VS to get it to mount properly?

bdemount has been known to work with Linux fuse, macosfuse (see: https://github.com/libyal/libbde/wiki/Building#using-gnu-compiler-collection-gcc), and Dokan (pre 2.0) (see: https://github.com/libyal/libbde/wiki/Building#dokan-library)

cygwin fuse I would need to look in first and Dokan >= 2.0 you might need to make some tweaks

[joachimmetz]

Some changes for Dokan >= 2.0 in https://github.com/libyal/libbde/commit/99cc66bb2dcef7a05f317e29a43d7f84621b63a1

[signal3436]

Many thanks! I will start from scratch and circle back.

[joachimmetz]

just tested with Dokan 1.2 on my system and that is working as intended

I'll will give cygfuse and Dokan 2 a test drive when time permits

[signal3436]

just tested with Dokan 1.2 on my system and that is working as intended

I'll will give cygfuse and Dokan 2 a test drive when time permits

Thanks so much!

[joachimmetz]

So cygfuse is different from Linux fuse2 and fuse3. Made some tweaks and got it working on a test set up. To reproduce

• install https://winfsp.dev/ which is the backend wrapped by cygfuse
• install cygfuse package provided by cygwin (no need to use the winfsp.dev provided cygfuse)
• build bdemount from HEAD
  • do not FUSE_USE_VERSION 30 because it causes the linker to fail, in contrast to Linux fuse2 and fuse3 which requires it to be set otherwise compilation fails
• to mount bdemount [options] source mountpoint, cygfuse requires the mount point to be drive letter e.g. x: not a path

Will take a closer look how to unmount, given fusermount -u x: does not appear to work

[joachimmetz]

Will take a closer look how to unmount, given fusermount -u x: does not appear to work

not a nice integration, but looks like killing the bdemount process is a method

which appears the same method used by fusermount on cygwin https://github.com/mgeisert/cygfuse/blob/master/source/v3/fusermount#L190

[joachimmetz]

Note to self format of /var/run/fuse.mounts

https://github.com/mgeisert/cygfuse/blob/922c9e4020876ec6bbfb2d6d3ee4194a5e67d520/source/v3/fuse3/cygfuse.c#L226

Something like:

X: fuse PID localhost path

Note that

• Drive letter appears to be required in upper case
• PID must be the Cygwin PID not the Windows PID
• currently unclear what path should be (/cygdrive/x like in /etc/mtab?)

[signal3436]

After running >bdemount -p (password) P:\image.img X: there is some improvement on my end.

The command window "hangs" like it's supposed to, I see "bdemount.exe" in Task Manager but the image still doesn't mount. The last two lines of the error output are:

mount_fuse_getattr: / The service bdemount has been started.

[joachimmetz]

do you see a file X:\bde1 ?

[signal3436]

do you see a file X:\bde1 ?

Unfortunately no.

[joachimmetz]

did you end up going the cygfuse+winfsp way or Dokan?

[joachimmetz]

nevermind, looks like you went the fuse route (mount_fuse_getattr), given that this is a new backend I don't have many tips for you at the moment

[signal3436]

I appreciate your help with all of this. I might just fresh install everything on something other than the Franken-machine I'm using right now to see if that clears up anything.

[BigPanda71]

I appreciate your help with all of this. I might just fresh install everything on something other than the Franken-machine I'm using right now to see if that clears up anything.

You ever get this working? I would love to be able to directly mount drives in Windows using the FVEK

[signal3436]

I appreciate your help with all of this. I might just fresh install everything on something other than the Franken-machine I'm using right now to see if that clears up anything.

You ever get this working? I would love to be able to directly mount drives in Windows using the FVEK

Unfortunately I didn't -- I ended up using Dislocker on a Mac.

[BigPanda71]

Well dang, was really hoping you had the answer. But I definitely appreciate you replying to a thread that's been dead for six months.