Unable to mount NTFS volume image with ntfs3g

libyal / libewf

Libewf is a library to access the Expert Witness Compression Format (EWF)

GNU Lesser General Public License v3.0

265 stars 76 forks source link

Unable to mount NTFS volume image with ntfs3g #140

Closed siftuser closed 4 years ago

siftuser commented 4 years ago

I have e01 from a NTFS usb (e01). I am able to load it in encase. But after mounting the e01 using ewfmount, mounting the volume throws "Failed to read last sector xxxx" error ... is there a way to specify last sector or any other clue ? Thanks

joachimmetz commented 4 years ago

which version of libewf are you using?

siftuser commented 4 years ago

Thanks! it's 20140808

joachimmetz commented 4 years ago

Can you confirm/check, when this is NTFS and the image is a volume device copy, if the last sector/cluster block is part of the image.

siftuser commented 4 years ago

based on the error from mount command I can see that it's trying to access the sector beyond the last sector of the volume ... is there a way to trick mount command w/ # of sectors ?

fdisk on ewf1 shows accurate sector count .. where as parted or file on the same ewf show few addl sector count, which is what mount is trying to access while mounting & failing

unsure how encase can determine the accurate size of the volume & display volume & it's content

thanks!

joachimmetz commented 4 years ago

So the file system part support beyond the scope of libewf/ewfmount. Both will exposes whatever data is in the EWF "container". Not sure what NTFS implementation you are using (Mac native?) otherwise try analyzing the file system with Sleuthkit or equivalent tooling that might be more tolerant for data format errors. Not sure if it will work but libfsntfs is still experimental but comes with a mount tool as well.

siftuser commented 4 years ago

Thanks!

Is there documentation as to how to use libfsntfs compared to ewfmount + mount -t ntfs-3g ?

joachimmetz commented 4 years ago

nope mount documentation is still WIP. But would be very similar as ntfs3g instead that of mount you use fsntfsmount

siftuser commented 4 years ago

Thanks again! fyi - this is what I tried

$ sudo fsntfsmount -o loop,ro,show_sys_files,streams_interface=windows,offset=0 /mnt/ewf/ewf1 /mnt/windows_mount
fsntfsmount 20200223

Unable to set volume offset.
mount_handle_system_string_copy_from_64_bit_in_decimal: unsupported character value: l at index: 0.
mount_handle_set_offset: unable to copy string to 64-bit decimal.

joachimmetz commented 4 years ago

With similar, I did not mean exact same syntax ;)

Try:

sudo fsntfsmount /mnt/ewf/ewf1 /mnt/windows_mount

see fsntfsmount -h for supported parameters

siftuser commented 4 years ago

Thank you! that worked :)