search

ralphje / imagemounter

Command line utility and Python package to ease the (un)mounting of forensic disk images
MIT License
118 stars 36 forks source link

Unable to mount images from NIST Hacking Case scenario #5

Closed anseljh closed 8 years ago

anseljh commented 8 years ago

Hello! I am trying to use imagemounter on the EnCase images provided for NIST's "Hacking Case" scenario. I have been unable to mount the files so far. What is the best way to help debug this?

Here is the output I get, using -v:

2016-06-03-imount

ralphje commented 8 years ago

I have downloaded the same disk image and it works fine for me in 2.0.4 and 3.0.0a1:

$ sudo imount 4Dell\ Latitude\ CPi.E01  -vvvv
[+] Mounting image 4Dell Latitude CPi.E01 using auto...
  $ ewfmount -X allow_other 4Dell Latitude CPi.E01 /tmp/image_mounter_cQwDwb
    Raw path to disk is /tmp/image_mounter_cQwDwb/ewf1
  $ mdadm --examine /tmp/image_mounter_cQwDwb/ewf1
  $ disktype /tmp/image_mounter_cQwDwb/ewf1
[+] Mounted raw image [1/1]
[+] Mounting volumes in 4Dell Latitude CPi.E01
  $ mmls /tmp/image_mounter_cQwDwb/ewf1
[+] Found meta volume: block offset: 0000000000, length: 0000000001
[-] Skipped 512 B 0:Primary Table (#0) meta volume
[+] Found unallocated space: block offset: 0000000000, length: 0000000063
[-] Skipped 31.0 KiB 1:Unallocated unalloc volume
[+] Found allocated NTFS (0x07): block offset: 0000000063, length: 0009510417 
  $ fsstat /tmp/image_mounter_cQwDwb/ewf1 -o 63
    Trying to determine fs type from 'None'
    Trying to determine fs type from 'NTFS (0x07)'
[+] Detected ntfs (0x07) as ntfs
  $ mount /tmp/image_mounter_cQwDwb/ewf1 /tmp/im_2_WK7a4q_ -t ntfs -o loop,show_sys_files,noexec,force,offset=32256,ro
[+] Mounted volume 4.53 GiB 2:NTFS [Windows XP] on /tmp/im_2_WK7a4q_.
>>> Press [enter] to unmount the volume, or ^C to keep mounted... 
  $ umount /tmp/im_2_WK7a4q_
[+] Found unallocated space: block offset: 0009510480, length: 0000003780
[-] Skipped 1.85 MiB 3:Unallocated unalloc volume
[+] Parsed all volumes!
[+] Analysis complete, unmounting...
  $ fusermount -u /tmp/image_mounter_cQwDwb
[+] All cleaned up

Perhaps you are mounting using affuse or xmount, which I couldn't get to work either; ewfmount does work for me. The error also suggests you perhaps may not have downloaded the .E02 file from the NIST website?

Could you include the output of sudo imount 4Dell\ Latitude\ CPi.E01 -vvvv and imount --check in your bug report?

ralphje commented 8 years ago

Closing due to lack of response. Please re-open when you can provide the requested output.

anseljh commented 8 years ago

Hello, and sorry for the delay. I do have both the .E01 and .E02 files.

Here is sudo imount 4Dell\ Latitude\ CPi.E01 -vvvv:

$ sudo imount 4Dell\ Latitude\ CPi.E01 -vvvv
[+] Mounting image 4Dell Latitude CPi.E01 using auto...
  $ ewfmount -X allow_other 4Dell Latitude CPi.E01 /tmp/image_mounter_SolnJ5
Unable to open EWF file(s).
libmfdata_file_list_get_file_by_index: missing file.
libewf_handle_open_read_segment_files: unable to retrieve segment file: 1 from list.
libewf_handle_open_file_io_pool: unable to read segment files.
libewf_handle_open: unable to open handle using a file IO pool.
mount_handle_open_input: unable to open file(s).
[-] Could not mount 4Dell Latitude CPi.E01, trying other method
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
    _util.check_call_(cmd, stdout=subprocess.PIPE)
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
    return subprocess.check_call(cmd, *args, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'ewfmount', u'-X', u'allow_other', u'4Dell Latitude CPi.E01', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
  $ ewfmount 4Dell Latitude CPi.E01 /tmp/image_mounter_SolnJ5
Unable to open EWF file(s).
libmfdata_file_list_get_file_by_index: missing file.
libewf_handle_open_read_segment_files: unable to retrieve segment file: 1 from list.
libewf_handle_open_file_io_pool: unable to read segment files.
libewf_handle_open: unable to open handle using a file IO pool.
mount_handle_open_input: unable to open file(s).
[-] Could not mount 4Dell Latitude CPi.E01, trying other method
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
    _util.check_call_(cmd, stdout=subprocess.PIPE)
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
    return subprocess.check_call(cmd, *args, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'ewfmount', u'4Dell Latitude CPi.E01', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
  $ xmount --in ewf 4Dell Latitude CPi.E01 /tmp/image_mounter_SolnJ5
[-] Could not mount 4Dell Latitude CPi.E01, trying other method
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
    _util.check_call_(cmd, stdout=subprocess.PIPE)
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
    return subprocess.check_call(cmd, *args, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'xmount', u'--in', u'ewf', u'4Dell Latitude CPi.E01', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
  $ ewfmount -X allow_other 4Dell Latitude CPi.E01 4Dell Latitude CPi.E02 /tmp/image_mounter_SolnJ5
Unable to open EWF file(s).
libmfdata_file_list_get_file_by_index: missing file.
libewf_handle_open_read_segment_files: unable to retrieve segment file: 1 from list.
libewf_handle_open_file_io_pool: unable to read segment files.
libewf_handle_open: unable to open handle using a file IO pool.
mount_handle_open_input: unable to open file(s).
[-] Could not mount 4Dell Latitude CPi.E01, trying other method
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
    _util.check_call_(cmd, stdout=subprocess.PIPE)
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
    return subprocess.check_call(cmd, *args, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'ewfmount', u'-X', u'allow_other', u'4Dell Latitude CPi.E01', u'4Dell Latitude CPi.E02', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
  $ ewfmount 4Dell Latitude CPi.E01 4Dell Latitude CPi.E02 /tmp/image_mounter_SolnJ5
Unable to open EWF file(s).
libmfdata_file_list_get_file_by_index: missing file.
libewf_handle_open_read_segment_files: unable to retrieve segment file: 1 from list.
libewf_handle_open_file_io_pool: unable to read segment files.
libewf_handle_open: unable to open handle using a file IO pool.
mount_handle_open_input: unable to open file(s).
[-] Could not mount 4Dell Latitude CPi.E01, trying other method
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
    _util.check_call_(cmd, stdout=subprocess.PIPE)
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
    return subprocess.check_call(cmd, *args, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'ewfmount', u'4Dell Latitude CPi.E01', u'4Dell Latitude CPi.E02', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
  $ xmount --in ewf 4Dell Latitude CPi.E01 4Dell Latitude CPi.E02 /tmp/image_mounter_SolnJ5
[-] Could not mount 4Dell Latitude CPi.E01, trying other method
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
    _util.check_call_(cmd, stdout=subprocess.PIPE)
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
    return subprocess.check_call(cmd, *args, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'xmount', u'--in', u'ewf', u'4Dell Latitude CPi.E01', u'4Dell Latitude CPi.E02', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
[-] Unable to mount 4Dell Latitude CPi.E01
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
    _util.check_call_(cmd, stdout=subprocess.PIPE)
  File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
    return subprocess.check_call(cmd, *args, **kwargs)
  File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'xmount', u'--in', u'ewf', u'4Dell Latitude CPi.E01', u'4Dell Latitude CPi.E02', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
[-] Failed mounting base image. Perhaps try another mount method than auto?
[+] Analysis complete, unmounting...
[+] All cleaned up

and imount --check:

$ imount --check
The following commands are used by imagemounter internally. Without most commands, imagemounter works perfectly fine, but may lack some detection or mounting capabilities.
-- Mounting base disk images (at least one required, first three recommended) --
 INSTALLED xmount
 INSTALLED ewfmount
 INSTALLED affuse
 MISSING   vmware-mount        needed for VMWare disks
-- Detecting volumes and volume types (at least one required) --
 INSTALLED mmls
 MISSING   pytsk3              install using pip
 INSTALLED parted
-- Detecting volume types (all recommended, first two highly recommended) --
 INSTALLED fsstat
 INSTALLED file
 MISSING   python-magic        install using pip
 INSTALLED disktype
-- Enhanced mounting and detecting disks (install when needed) --
 INSTALLED mdadm
 INSTALLED cryptsetup
 INSTALLED mountavfs
-- Mounting volumes (install when needed) --
 MISSING   mount.xfs           needed for XFS volumes, part of the xfsprogs package
 INSTALLED mount.ntfs
 INSTALLED lvm
 INSTALLED vmfs-fuse
 MISSING   mount.jffs2         needed for JFFS2 volumes, part of the mtd-tools package
 MISSING   mount.squashfs      needed for SquashFS volumes, part of the squashfs-tools package
anseljh commented 8 years ago

I got this working, finally. I must have just had bad copies of the files -- worked perfectly after I re-downloaded them.