search

ralphje / imagemounter

Command line utility and Python package to ease the (un)mounting of forensic disk images
MIT License
118 stars 36 forks source link

Unable to mount any volumes. #40

Closed agibbons27 closed 2 years ago

agibbons27 commented 2 years ago

I am unable to mount any volumes using the most recent commit to master. I included the output showing that the volume could not be mounted. I am getting this error on several images.

# imount -vvv WinXP.E01
    imagemounter version 3.1.0
[+] Mounting image WinXP.E01 using auto...
  $ ewfmount -X allow_other WinXP.E01 /tmp/image_mounter_whfx6imf
    Raw path to disk is /tmp/image_mounter_whfx6imf/ewf1
  $ disktype /tmp/image_mounter_whfx6imf/ewf1
[+] Mounted raw image [1/1]
[+] Mounting volumes in WinXP.E01
  $ mmls /tmp/image_mounter_whfx6imf/ewf1
[+] Found meta volume: block offset: 0000000000, length: 0000000001
    Initializing volume 0:Primary Table (#0)
[-] Skipped 512 B 0:Primary Table (#0) meta volume
[+] Found unallocated space: block offset: 0000000000, length: 0000000063
    Initializing volume 1:Unallocated
[-] Skipped 31.5 KiB 1:Unallocated unalloc volume
[+] Found allocated NTFS / exFAT (0x07): block offset: 0000000063, length: 0003140865 
    Initializing volume 2:NTFS / exFAT (0x07)
[+] Mounting volume 2:NTFS / exFAT (0x07)
    Trying to determine fs type from fsdescription 'NTFS / exFAT (0x07)'
    Current certainty levels: Counter({<class 'imagemounter.filesystems.NtfsFileSystem'>: 40, <class 'imagemounter.filesystems.ExfatFileSystem'>: 30, <class 'imagemounter.filesystems.FatFileSystem'>: -50})
    Highest certainty item is lower than 50, continuing...
    Trying to determine fs type from guid 'None'
  $ blkid -p -O 32256 /tmp/image_mounter_whfx6imf/ewf1
    Trying to determine fs type from blikid 'ntfs'
    Current certainty levels: Counter({<class 'imagemounter.filesystems.NtfsFileSystem'>: 140, <class 'imagemounter.filesystems.ExfatFileSystem'>: 30, <class 'imagemounter.filesystems.FatFileSystem'>: -50})
  $ fsstat /tmp/image_mounter_whfx6imf/ewf1 -o 63 -f ntfs
  $ mount /tmp/image_mounter_whfx6imf/ewf1 /tmp/im_2_k5hh6gc0_ -o show_sys_files,noexec,force,streams_interface=windows,loop,offset=32256,sizelimit=1608122880,ro -t ntfs
[-] Could not mount volume 1.5 GiB 2:NTFS [Windows XP]
[+] Found unallocated space: block offset: 0003140928, length: 0000004800
    Initializing volume 3:Unallocated
[-] Skipped 2.34 MiB 3:Unallocated unalloc volume
[+] Parsed all volumes!
[+] Analysis complete, unmounting...
[+] Unmounting volume 2:NTFS / exFAT (0x07)
  $ umount /tmp/im_2_k5hh6gc0_
  $ fusermount -u /tmp/image_mounter_whfx6imf
[+] All cleaned up

I tried the same command, but using everything except for the most recent commit (everything up to and including Rename fstype to filesystem). That seems to work so I'd like to get a better idea of the intended changes in the most recent commit to master and what it would take to fix the new volume errors.

# imount -vvv WinXP.E01 
    imagemounter version 3.1.0
[+] Mounting image WinXP.E01 using auto...
  $ ewfmount -X allow_other WinXP.E01 /tmp/image_mounter_tf9ud80k
    Raw path to disk is /tmp/image_mounter_tf9ud80k/ewf1
  $ disktype /tmp/image_mounter_tf9ud80k/ewf1
[+] Mounted raw image [1/1]
[+] Mounting volumes in WinXP.E01
  $ mmls /tmp/image_mounter_tf9ud80k/ewf1
[+] Found meta volume: block offset: 0000000000, length: 0000000001
    Initializing volume 0:Primary Table (#0)
[-] Skipped 512 B 0:Primary Table (#0) meta volume
[+] Found unallocated space: block offset: 0000000000, length: 0000000063
    Initializing volume 1:Unallocated
[-] Skipped 31.5 KiB 1:Unallocated unalloc volume
[+] Found allocated NTFS / exFAT (0x07): block offset: 0000000063, length: 0003140865 
    Initializing volume 2:NTFS / exFAT (0x07)
[+] Mounting volume 2:NTFS / exFAT (0x07)
    Trying to determine fs type from fsdescription 'NTFS / exFAT (0x07)'
    Current certainty levels: Counter({<class 'imagemounter.filesystems.NtfsFileSystem'>: 40, <class 'imagemounter.filesystems.ExfatFileSystem'>: 30, <class 'imagemounter.filesystems.FatFileSystem'>: -50})
    Highest certainty item is lower than 50, continuing...
    Trying to determine fs type from guid 'None'
  $ blkid -p -O 32256 /tmp/image_mounter_tf9ud80k/ewf1
    Trying to determine fs type from blikid 'ntfs'
    Current certainty levels: Counter({<class 'imagemounter.filesystems.NtfsFileSystem'>: 140, <class 'imagemounter.filesystems.ExfatFileSystem'>: 30, <class 'imagemounter.filesystems.FatFileSystem'>: -50})
  $ fsstat /tmp/image_mounter_tf9ud80k/ewf1 -o 63 -f ntfs
  $ mount /tmp/image_mounter_tf9ud80k/ewf1 /tmp/im_2_1j_bjy6c_ -o show_sys_files,noexec,force,streams_interface=windows,loop,offset=32256,sizelimit=1608122880,ro -t ntfs
[+] Mounted volume 1.5 GiB 2:NTFS [Windows XP] on /tmp/im_2_1j_bjy6c_.
>>> Press [enter] to unmount the volume, or ^C to keep mounted... 
[+] Unmounting volume 2:NTFS / exFAT (0x07)
  $ umount /tmp/im_2_1j_bjy6c_
[+] Found unallocated space: block offset: 0003140928, length: 0000004800
    Initializing volume 3:Unallocated
[-] Skipped 2.34 MiB 3:Unallocated unalloc volume
[+] Parsed all volumes!
[+] Analysis complete, unmounting...
  $ fusermount -u /tmp/image_mounter_tf9ud80k
[+] All cleaned up
ralphje commented 2 years ago

I will take a look into it ASAP. I noticed the automated tests also failing so I presume the commit was not done yet.