Closed anseljh closed 8 years ago
I have downloaded the same disk image and it works fine for me in 2.0.4 and 3.0.0a1:
$ sudo imount 4Dell\ Latitude\ CPi.E01 -vvvv
[+] Mounting image 4Dell Latitude CPi.E01 using auto...
$ ewfmount -X allow_other 4Dell Latitude CPi.E01 /tmp/image_mounter_cQwDwb
Raw path to disk is /tmp/image_mounter_cQwDwb/ewf1
$ mdadm --examine /tmp/image_mounter_cQwDwb/ewf1
$ disktype /tmp/image_mounter_cQwDwb/ewf1
[+] Mounted raw image [1/1]
[+] Mounting volumes in 4Dell Latitude CPi.E01
$ mmls /tmp/image_mounter_cQwDwb/ewf1
[+] Found meta volume: block offset: 0000000000, length: 0000000001
[-] Skipped 512 B 0:Primary Table (#0) meta volume
[+] Found unallocated space: block offset: 0000000000, length: 0000000063
[-] Skipped 31.0 KiB 1:Unallocated unalloc volume
[+] Found allocated NTFS (0x07): block offset: 0000000063, length: 0009510417
$ fsstat /tmp/image_mounter_cQwDwb/ewf1 -o 63
Trying to determine fs type from 'None'
Trying to determine fs type from 'NTFS (0x07)'
[+] Detected ntfs (0x07) as ntfs
$ mount /tmp/image_mounter_cQwDwb/ewf1 /tmp/im_2_WK7a4q_ -t ntfs -o loop,show_sys_files,noexec,force,offset=32256,ro
[+] Mounted volume 4.53 GiB 2:NTFS [Windows XP] on /tmp/im_2_WK7a4q_.
>>> Press [enter] to unmount the volume, or ^C to keep mounted...
$ umount /tmp/im_2_WK7a4q_
[+] Found unallocated space: block offset: 0009510480, length: 0000003780
[-] Skipped 1.85 MiB 3:Unallocated unalloc volume
[+] Parsed all volumes!
[+] Analysis complete, unmounting...
$ fusermount -u /tmp/image_mounter_cQwDwb
[+] All cleaned up
Perhaps you are mounting using affuse
or xmount
, which I couldn't get to work either; ewfmount
does work for me. The error also suggests you perhaps may not have downloaded the .E02 file from the NIST website?
Could you include the output of sudo imount 4Dell\ Latitude\ CPi.E01 -vvvv
and imount --check
in your bug report?
Closing due to lack of response. Please re-open when you can provide the requested output.
Hello, and sorry for the delay. I do have both the .E01 and .E02 files.
Here is sudo imount 4Dell\ Latitude\ CPi.E01 -vvvv
:
$ sudo imount 4Dell\ Latitude\ CPi.E01 -vvvv
[+] Mounting image 4Dell Latitude CPi.E01 using auto...
$ ewfmount -X allow_other 4Dell Latitude CPi.E01 /tmp/image_mounter_SolnJ5
Unable to open EWF file(s).
libmfdata_file_list_get_file_by_index: missing file.
libewf_handle_open_read_segment_files: unable to retrieve segment file: 1 from list.
libewf_handle_open_file_io_pool: unable to read segment files.
libewf_handle_open: unable to open handle using a file IO pool.
mount_handle_open_input: unable to open file(s).
[-] Could not mount 4Dell Latitude CPi.E01, trying other method
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
_util.check_call_(cmd, stdout=subprocess.PIPE)
File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
return subprocess.check_call(cmd, *args, **kwargs)
File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'ewfmount', u'-X', u'allow_other', u'4Dell Latitude CPi.E01', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
$ ewfmount 4Dell Latitude CPi.E01 /tmp/image_mounter_SolnJ5
Unable to open EWF file(s).
libmfdata_file_list_get_file_by_index: missing file.
libewf_handle_open_read_segment_files: unable to retrieve segment file: 1 from list.
libewf_handle_open_file_io_pool: unable to read segment files.
libewf_handle_open: unable to open handle using a file IO pool.
mount_handle_open_input: unable to open file(s).
[-] Could not mount 4Dell Latitude CPi.E01, trying other method
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
_util.check_call_(cmd, stdout=subprocess.PIPE)
File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
return subprocess.check_call(cmd, *args, **kwargs)
File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'ewfmount', u'4Dell Latitude CPi.E01', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
$ xmount --in ewf 4Dell Latitude CPi.E01 /tmp/image_mounter_SolnJ5
[-] Could not mount 4Dell Latitude CPi.E01, trying other method
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
_util.check_call_(cmd, stdout=subprocess.PIPE)
File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
return subprocess.check_call(cmd, *args, **kwargs)
File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'xmount', u'--in', u'ewf', u'4Dell Latitude CPi.E01', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
$ ewfmount -X allow_other 4Dell Latitude CPi.E01 4Dell Latitude CPi.E02 /tmp/image_mounter_SolnJ5
Unable to open EWF file(s).
libmfdata_file_list_get_file_by_index: missing file.
libewf_handle_open_read_segment_files: unable to retrieve segment file: 1 from list.
libewf_handle_open_file_io_pool: unable to read segment files.
libewf_handle_open: unable to open handle using a file IO pool.
mount_handle_open_input: unable to open file(s).
[-] Could not mount 4Dell Latitude CPi.E01, trying other method
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
_util.check_call_(cmd, stdout=subprocess.PIPE)
File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
return subprocess.check_call(cmd, *args, **kwargs)
File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'ewfmount', u'-X', u'allow_other', u'4Dell Latitude CPi.E01', u'4Dell Latitude CPi.E02', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
$ ewfmount 4Dell Latitude CPi.E01 4Dell Latitude CPi.E02 /tmp/image_mounter_SolnJ5
Unable to open EWF file(s).
libmfdata_file_list_get_file_by_index: missing file.
libewf_handle_open_read_segment_files: unable to retrieve segment file: 1 from list.
libewf_handle_open_file_io_pool: unable to read segment files.
libewf_handle_open: unable to open handle using a file IO pool.
mount_handle_open_input: unable to open file(s).
[-] Could not mount 4Dell Latitude CPi.E01, trying other method
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
_util.check_call_(cmd, stdout=subprocess.PIPE)
File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
return subprocess.check_call(cmd, *args, **kwargs)
File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'ewfmount', u'4Dell Latitude CPi.E01', u'4Dell Latitude CPi.E02', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
$ xmount --in ewf 4Dell Latitude CPi.E01 4Dell Latitude CPi.E02 /tmp/image_mounter_SolnJ5
[-] Could not mount 4Dell Latitude CPi.E01, trying other method
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
_util.check_call_(cmd, stdout=subprocess.PIPE)
File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
return subprocess.check_call(cmd, *args, **kwargs)
File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'xmount', u'--in', u'ewf', u'4Dell Latitude CPi.E01', u'4Dell Latitude CPi.E02', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
[-] Unable to mount 4Dell Latitude CPi.E01
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/imagemounter/disk.py", line 217, in mount
_util.check_call_(cmd, stdout=subprocess.PIPE)
File "/usr/local/lib/python2.7/dist-packages/imagemounter/_util.py", line 110, in check_call_
return subprocess.check_call(cmd, *args, **kwargs)
File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '[u'xmount', u'--in', u'ewf', u'4Dell Latitude CPi.E01', u'4Dell Latitude CPi.E02', u'/tmp/image_mounter_SolnJ5']' returned non-zero exit status 1
[-] Failed mounting base image. Perhaps try another mount method than auto?
[+] Analysis complete, unmounting...
[+] All cleaned up
and imount --check
:
$ imount --check
The following commands are used by imagemounter internally. Without most commands, imagemounter works perfectly fine, but may lack some detection or mounting capabilities.
-- Mounting base disk images (at least one required, first three recommended) --
INSTALLED xmount
INSTALLED ewfmount
INSTALLED affuse
MISSING vmware-mount needed for VMWare disks
-- Detecting volumes and volume types (at least one required) --
INSTALLED mmls
MISSING pytsk3 install using pip
INSTALLED parted
-- Detecting volume types (all recommended, first two highly recommended) --
INSTALLED fsstat
INSTALLED file
MISSING python-magic install using pip
INSTALLED disktype
-- Enhanced mounting and detecting disks (install when needed) --
INSTALLED mdadm
INSTALLED cryptsetup
INSTALLED mountavfs
-- Mounting volumes (install when needed) --
MISSING mount.xfs needed for XFS volumes, part of the xfsprogs package
INSTALLED mount.ntfs
INSTALLED lvm
INSTALLED vmfs-fuse
MISSING mount.jffs2 needed for JFFS2 volumes, part of the mtd-tools package
MISSING mount.squashfs needed for SquashFS volumes, part of the squashfs-tools package
I got this working, finally. I must have just had bad copies of the files -- worked perfectly after I re-downloaded them.
Hello! I am trying to use imagemounter on the EnCase images provided for NIST's "Hacking Case" scenario. I have been unable to mount the files so far. What is the best way to help debug this?
Here is the output I get, using
-v
: