search

libyal / libewf

Libewf is a library to access the Expert Witness Compression Format (EWF)
GNU Lesser General Public License v3.0
263 stars 76 forks source link

How do I loop back mount a fuse mounted EWF image (ewfmount) #169

Closed saman501 closed 2 years ago

saman501 commented 2 years ago

Hello,

I am a beginner with ewf-tools and have some troubles after 'ewfmount' and would appreciate your advice. ('ewfinfo', 'ewfexport', 'ewfverify' seems to work very well. 'ewfmount -V' shows 20201230, copyright by Joachim Metz.)

This worked as well:

sudo mkdir /mnt/ewf
sudo chown [user] /mnt/ewf
sudo chmod 755 /mnt/ewf
ewfmount  "NTFS.E01" /mnt/ewf
cd /mnt/ewf
mmls /mnt/ewf/ewf1

There are two interesting partitions ...

DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000000062   0000000063   Unallocated
002:  000:000   0000000063   0000080324   0000080262   Dell Utilities FAT (0xde)
003:  -------   0000080325   0000081919   0000001595   Unallocated
004:  000:001   0000081920   0031039487   0030957568   NTFS / exFAT (0x07)
005:  000:002   0031039488   0976764927   0945725440   NTFS / exFAT (0x07)
006:  -------   0976764928   0976773167   0000008240   Unallocated

Problem arises with mounting into a partition

user@user-desktop:/mnt/ewf$ sudo mount -o ro,loop,show_sys_files,streams_interface=windows,offset=$((81920*512)) ewf1 /mnt/c  
mount: /mnt/c: failed to setup loop device for ewf1.

OR

user@user-desktop:/mnt/ewf$ sudo mount -t ntfs-3g -o ro,loop,show_sys_files,streams_interface=windows,offset=$((81920*512)) ewf1 /mnt/c  
mount: /mnt/c: failed to setup loop device for ewf1.

Any ideas?

bgrundy commented 2 years ago

Hopefully I'm not breaking etiquette here with an unsolicited response, but the issue you raise is not an ewfmount problem.

Have a look at man fuse and specifically at the allow_other or allow_root options (and the corresponding entries in /etc/fuse.conf). You are mixing permissions on the fuse file system created by ewfmount. Rather than creating directories in /mnt and messing with ownership and permissions, you might be better off creating a local (to your user) mount point and passing the proper options to ewfmount to allow root access if you need to use a loop device:

$ ls
NTFS.E01 

$ mkdir ewf

$ ewfmount -X allow_root NTFS.E01 ewf/
ewfmount 20140812

$ mmls ewf/ewf1
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0001023999   0001021952   NTFS / exFAT (0x07)

$ sudo mount -o ro,loop,show_sys_files,streams_interface=windows,offset=$((2048*512)) ewf/ewf1 /mnt/tmp

$ ls /mnt/tmp
$AttrDef*  $Bitmap*  $Extend/   $MFTMirr*  $UpCase*  ProxyLog1.log*                Users/
$BadClus*  $Boot*    $LogFile*  $Secure    $Volume*  System\ Volume\ Information/  Windows/
joachimmetz commented 2 years ago

@bgrundy thx for jumping in

saman501 commented 2 years ago

[SOLVED] Thank you very much.

(1) Fuse

/mnt$ cat /etc/fuse.conf
# /etc/fuse.conf - Configuration file for Filesystem in Userspace (FUSE)

# Set the maximum number of FUSE mounts allowed to non-root users.
# The default is 1000.
#mount_max = 1000

# Allow non-root users to specify the allow_other or allow_root mount options.
user_allow_other

(2) Extended ewfmount options

/mnt$ ewfmount -X allow_root "NTFS.E01" /mnt/ewf
ewfmount 20201230

/mnt$ mount | grep ewf
/dev/fuse on /mnt/ewf type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,allow_other)

/mnt$ mmls ./ewf/ewf1
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000000062   0000000063   Unallocated
002:  000:000   0000000063   0000080324   0000080262   Dell Utilities FAT (0xde)
003:  -------   0000080325   0000081919   0000001595   Unallocated
004:  000:001   0000081920   0031039487   0030957568   NTFS / exFAT (0x07)
005:  000:002   0031039488   0976764927   0945725440   NTFS / exFAT (0x07)
006:  -------   0976764928   0976773167   0000008240   Unallocated

(3) Mount partition

/mnt$ sudo mount -o ro,loop,show_sys_files,streams_interface=windows,offset=$((81920*512)) ewf/ewf1 /mnt/c

/mnt$ cd c

/mnt/c$ ls
'$AttrDef'  '$BadClus'  '$Bitmap'  '$Boot'  '$Extend'  '$LogFile'  '$MFTMirr'  '$Secure'  '$UpCase'  '$Volume'   Boot   bootmgr   DELL   recovery   ResSys.ini  'System Volume Information'

(4) View of the messing ownership:

/mnt$ ls -l
total 8
drwxrwxrwx 1 root  root  4096 Okt 13  2016 c
dr-xr-xr-x 2 user user    0 Apr 27 20:45 ewf