search

ralphje / imagemounter

Command line utility and Python package to ease the (un)mounting of forensic disk images
MIT License
118 stars 36 forks source link

Ubuntu 16.04 fails to mount E01 with embedded ntfs - "DOS/MBR boot sector" #14

Closed flamableconcrete closed 7 years ago

flamableconcrete commented 7 years ago

I have an E01 file that mounts just fine with imount on Ubuntu 14.04, but not on 16.04. I have included the full output below. So far I have tracked it down to the version of the file command installed which gives different output for this same file. 

# Ubuntu 14.04
$ file --version
file-5.14
$ file my-ewf1-inside-the-E01
my-ewf1-inside-the-E01: x86 boot sector

# Ubuntu 16.04
$ file --version
file-5.25
$ file my-ewf1-inside-the-E01
my-ewf1-inside-the-E01: DOS/MBR boot sector, <blah blah blah - see full output below>

Because of this discrepancy, the fstype here (https://github.com/ralphje/imagemounter/blob/v3.0.0/imagemounter/volume.py#L642) is returned as ntfs on 14.04, but volumesystem on 16.04.

If I add a continue here: https://github.com/ralphje/imagemounter/blob/v3.0.0/imagemounter/volume.py#L586, it works for this one file, but I'm sure that looks like the wrong approach long term since I don't know the actual ramifications of that decision to other image/volume/disk/whatever types.

Sorry I don't have a pull request - I don't know how to solve it!

Ubuntu 16.04

vagrant@vagrant:~$ sudo imount -vvvv win7-32-c-drive.E01
    imagemounter version 3.0.0
[+] Mounting image win7-32-c-drive.E01 using auto...
  $ ewfmount -X allow_other win7-32-c-drive.E01 /tmp/image_mounter_y2LwKj
    Raw path to disk is /tmp/image_mounter_y2LwKj/ewf1
  $ disktype /tmp/image_mounter_y2LwKj/ewf1
  <
  < --- /tmp/image_mounter_y2LwKj/ewf1
  < Regular file, size 24.75 GiB (26578255872 bytes)
  < NTFS file system
  <   Volume size 24.75 GiB (26578255360 bytes, 51910655 sectors)
  <
[+] Mounted raw image [1/1]
[+] Mounting volumes in win7-32-c-drive.E01
  $ mmls /tmp/image_mounter_y2LwKj/ewf1
  < Cannot determine partition type
[-] Failed executing mmls command
Traceback (most recent call last):
  File "/home/vagrant/imagemounter/imagemounter/volume_system.py", line 269, in _detect_mmls_volumes
    output = _util.check_output_(cmd, stderr=subprocess.STDOUT)
  File "/home/vagrant/imagemounter/imagemounter/_util.py", line 121, in check_output_
    result = subprocess.check_output(cmd, *args, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 574, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
CalledProcessError: Command '[u'mmls', u'/tmp/image_mounter_y2LwKj/ewf1']' returned non-zero exit status 1
[+] Detecting as single volume instead
  $ file -sL /tmp/image_mounter_y2LwKj/ewf1
  < /tmp/image_mounter_y2LwKj/ewf1: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS    ", sectors/cluster 8, Media descriptor 0xf8,
     sectors/track 63, heads 255, hidden sectors 2048, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 51910655,
     $MFT start cluster 786432, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 02eac03a3ac036525;
     contains Microsoft Windows XP/VISTA bootloader BOOTMGR
    Initializing volume 0:DOS/MBR boot sector
[+] Mounting volume 0:DOS/MBR boot sector
    Trying to determine fs type from 'DOS/MBR boot sector'
[+] Detected dos/mbr boot sector as volumesystem
  $ fsstat /tmp/image_mounter_y2LwKj/ewf1 -o 0
  $ mmls /tmp/image_mounter_y2LwKj/ewf1
  < Cannot determine partition type
[-] Failed executing mmls command
Traceback (most recent call last):
  File "/home/vagrant/imagemounter/imagemounter/volume_system.py", line 269, in _detect_mmls_volumes
    output = _util.check_output_(cmd, stderr=subprocess.STDOUT)
  File "/home/vagrant/imagemounter/imagemounter/_util.py", line 121, in check_output_
    result = subprocess.check_output(cmd, *args, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 574, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
CalledProcessError: Command '[u'mmls', u'/tmp/image_mounter_y2LwKj/ewf1']' returned non-zero exit status 1
[-] Execution failed due to <class 'imagemounter.exceptions.SubsystemError'> Command '[u'mmls', u'/tmp/image_mounter_y2LwKj/ewf1']' returned non-zero exit status 1
Traceback (most recent call last):
  File "/home/vagrant/imagemounter/imagemounter/volume_system.py", line 269, in _detect_mmls_volumes
    output = _util.check_output_(cmd, stderr=subprocess.STDOUT)
  File "/home/vagrant/imagemounter/imagemounter/_util.py", line 121, in check_output_
    result = subprocess.check_output(cmd, *args, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 574, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
CalledProcessError: Command '[u'mmls', u'/tmp/image_mounter_y2LwKj/ewf1']' returned non-zero exit status 1
[-] Execution failed due to <class 'imagemounter.exceptions.SubsystemError'> Command '[u'mmls', u'/tmp/image_mounter_y2LwKj/ewf1']' returned non-zero exit status 1
Traceback (most recent call last):
  File "/home/vagrant/imagemounter/imagemounter/volume.py", line 714, in mount
    for _ in self.volumes.detect_volumes():
  File "/home/vagrant/imagemounter/imagemounter/volume_system.py", line 124, in detect_volumes
    for v in self._detect_mmls_volumes(vstype):
  File "/home/vagrant/imagemounter/imagemounter/volume_system.py", line 287, in _detect_mmls_volumes
    raise SubsystemError(e)
SubsystemError: Command '[u'mmls', u'/tmp/image_mounter_y2LwKj/ewf1']' returned non-zero exit status 1
[-] Exception while mounting 24.75 GiB 0:NTFS [Windows XP]
>>> Press [enter] to continue...
[+] Parsed all volumes!
[+] Analysis complete, unmounting...
  $ fusermount -u /tmp/image_mounter_y2LwKj
[+] All cleaned up

Ubuntu 14.04

(Just the relevant bits)

  $ file -sL /tmp/image_mounter_TG_2Ki/ewf1
  < /tmp/image_mounter_TG_2Ki/ewf1: x86 boot sector
    Initializing volume 0:x86 boot sector
[+] Mounting volume 0:x86 boot sector
    Trying to determine fs type from 'x86 boot sector'
    Trying to determine fs type from 'None'
  $ blkid -p -O 0 /tmp/image_mounter_TG_2Ki/ewf1
  < /tmp/image_mounter_TG_2Ki/ewf1: UUID="2EAC03A3AC036525" TYPE="ntfs" USAGE="filesystem"
    Trying to determine fs type from 'ntfs'
[+] Detected ntfs as ntfs
  $ fsstat /tmp/image_mounter_TG_2Ki/ewf1 -o 0
  $ mount /tmp/image_mounter_TG_2Ki/ewf1 /tmp/im_0_rs27ob_ -t ntfs -o show_sys_files,noexec,force,loop,offset=0,ro
[+] Mounted volume 24.75 GiB 0:NTFS [Windows XP] on /tmp/im_0_rs27ob_.
>>> Press [enter] to unmount the volume, or ^C to keep mounted...
flamableconcrete commented 7 years ago

The original file is win7-32-nromanoff-c-drive.E01 from ~one of these courses - can't remember which~

ralphje commented 7 years ago

Thanks for your report.

Should be fixed now, but don't know whether some other detections might fail, but clearly, dos/mbr bootsector is not a good detection for dos/mbr volume systems.

flamableconcrete commented 7 years ago

Thanks - and sorry I don't have a dos/mbr volume system handy to test!