search

ralphje / imagemounter

Command line utility and Python package to ease the (un)mounting of forensic disk images
MIT License
118 stars 36 forks source link

Running out of RAM mounting large volume #8

Closed anseljh closed 8 years ago

anseljh commented 8 years ago

Hello, I have tried mounting a large volume, and imagemounter dies when it runs out of memory. The volume is split into about 120 files, each 2 GB. On a virtual machine with 4 GB RAM, I can only get through about one-fourth of these files before running out of RAM, at which poiht imount exits.

Here you can see as memory utilization ticks up with each file: image

Here is a screenshot from when it dies: image

Interestingly, I noticed that RAM was not freed up after imount terminated. It turns out there were a lot of ewfmount processes still lingering even after imount had exited. I killalled them and got the RAM back.

Also, none of this is using swap. I added another big swap partition as an attempted workaround, but it didn't get used at all.

I don't know enough about the internals here to suggest a solution, but I'm happy to help troubleshoot.

I am running v3.0.0a2 (from Git).

Here is the output from imount``check:

anseljh@anseljh-VirtualBox:~$ imount --check
The following commands are used by imagemounter internally. Without most commands, imagemounter works perfectly fine, but may lack some detection or mounting capabilities.
-- Mounting base disk images (at least one required, first three recommended) --
 INSTALLED xmount
 INSTALLED ewfmount
 INSTALLED affuse
 MISSING   vmware-mount        needed for VMWare disks
 INSTALLED mountavfs
-- Detecting volumes and volume types (at least one required) --
 INSTALLED mmls
 MISSING   pytsk3              install using pip
 INSTALLED parted
-- Detecting volume types (all recommended, first two highly recommended) --
 INSTALLED fsstat
 INSTALLED file
 INSTALLED blkid
 MISSING   python-magic        install using pip
 INSTALLED disktype
-- Mounting volumes (install when needed) --
 MISSING   mount.xfs           needed for XFS volumes, part of the xfsprogs package
 INSTALLED mount.ntfs
 INSTALLED lvm
 INSTALLED vmfs-fuse
 MISSING   mount.jffs2         needed for JFFS2 volumes, part of the mtd-tools package
 MISSING   mount.squashfs      needed for SquashFS volumes, part of the squashfs-tools package
 INSTALLED mdadm
 INSTALLED cryptsetup
 MISSING   bdemount            needed for Bitlocker Drive Encryption volumes, part of the libbde-utils package
 MISSING   vshadowmount        needed for NTFS volume shadow copies, part of the libvshadow-utils package
ralphje commented 8 years ago

There appears to be something weird with your disk image, as it seems to require 120 different EWFs to be mounted -- which would mean you are trying to mount 120 different disks(!) Normal behaviour would be to have E01 to E120 files.

It appears that imagemounter correctly concludes that the ewfmount failed due to lack of RAM (this problem is mostly with ewfmount), although it is weird that the ewfmount processes are still lingering around when they should've been killed. Did you try imount -u to check whether imagemounter itself thinks there is still stuff mounted?

Could you explain why you have 120 different disks? Perhaps that clears things up a little.

anseljh commented 8 years ago

I am trying to mount one partition from one large disk image that contains 4 partitions. The disk image is split into 121 files with extensions .E01 through .EAV.

This is from a larger set with multiple disk images. Some of the disk images include multiple partitions, like this one, and I have gotten them to work. All the disk images look like this: multiple files with .E01, etc. extensions.

I tried again, and after it dies, I tried imount -u. It does indeed think there are a bunch of things mounted:

anseljh@anseljh-VirtualBox:~$ sudo imount -u -vvvv
Development release v3.0.0a2. Please report any bugs you encounter.
Bug reports: use -vvvv to get maximum verbosity and include  imount --check  output in your report
Critical bug? Use git tag to list all versions and use git checkout <version>
  $ losetup -a
  $ mount
  < sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
  < proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
  < udev on /dev type devtmpfs (rw,nosuid,relatime,size=1954120k,nr_inodes=488530,mode=755)
  < devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
  < tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=394848k,mode=755)
  < /dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
  < securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
  < tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
  < tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
  < tmpfs on /sys/fs/cgroup type tmpfs (rw,mode=755)
  < cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
  < pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
  < cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
  < cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
  < cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event)
  < cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
  < cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids)
  < cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
  < cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
  < cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-agent.hugetlb)
  < cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
  < cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset,clone_children)
  < systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=25,pgrp=1,timeout=0,minproto=5,maxproto=5,direct)
  < hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
  < debugfs on /sys/kernel/debug type debugfs (rw,relatime)
  < mqueue on /dev/mqueue type mqueue (rw,relatime)
  < fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
  < cgmfs on /run/cgmanager/fs type tmpfs (rw,relatime,size=100k,mode=755)
  < Disk_3 on /media/sf_Disk_3 type vboxsf (rw,nodev,relatime)
  < Drops on /media/sf_Drops type vboxsf (rw,nodev,relatime)
  < Evidence on /media/sf_Evidence type vboxsf (rw,nodev,relatime)
  < F_DRIVE on /media/sf_F_DRIVE type vboxsf (rw,nodev,relatime)
  < tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=394848k,mode=700,uid=1000,gid=1000)
  < gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
  < F_DRIVE on /media/disk1 type vboxsf (rw,nodev,relatime)
  < Evidence on /media/disk2 type vboxsf (rw,nodev,relatime)
  < Disk_3 on /media/disk3 type vboxsf (rw,nodev,relatime)
  < F_DRIVE on /media/disk1 type vboxsf (rw,nodev,relatime)
  < Evidence on /media/disk2 type vboxsf (rw,nodev,relatime)
  < Disk_3 on /media/disk3 type vboxsf (rw,nodev,relatime)
  < /dev/fuse on /tmp/image_mounter_YQ1tTf type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_HqLYgp type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_ZJzvzF type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_PjLchA type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_nL39C7 type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_PIIt87 type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_QX19yT type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_w1lvq7 type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_ODVxnA type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_NFArMV type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_IkGr8A type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_XUDuFz type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_BIJZCC type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_rueEze type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_3XfToD type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_nPgaE9 type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_Wkl3lg type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_pZTFM0 type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_a8DTZB type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_CuXUhB type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_DE8HVZ type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_p89NsL type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_T0jbA4 type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_RWgWyv type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_B21xg_ type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_Mr1ZCd type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_OwHugs type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_cycRMo type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_nplhYL type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_Bj4RqI type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_Jgo7Q3 type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_XCJQN0 type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  < /dev/fuse on /tmp/image_mounter_OdgS_J type fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
  $ pvdisplay
[!] --unmount will rigorously clean anything that looks like a mount or volume group originating from this utility. You may regret using this if you have other mounts or volume groups that are similarly named. The following commands will be executed:
    fusermount -u /tmp/image_mounter_B21xg_
    rm -Rf /tmp/image_mounter_B21xg_
    fusermount -u /tmp/image_mounter_PIIt87
    rm -Rf /tmp/image_mounter_PIIt87
    fusermount -u /tmp/image_mounter_ZJzvzF
    rm -Rf /tmp/image_mounter_ZJzvzF
    fusermount -u /tmp/image_mounter_pZTFM0
    rm -Rf /tmp/image_mounter_pZTFM0
    fusermount -u /tmp/image_mounter_CuXUhB
    rm -Rf /tmp/image_mounter_CuXUhB
    fusermount -u /tmp/image_mounter_OwHugs
    rm -Rf /tmp/image_mounter_OwHugs
    fusermount -u /tmp/image_mounter_T0jbA4
    rm -Rf /tmp/image_mounter_T0jbA4
    fusermount -u /tmp/image_mounter_p89NsL
    rm -Rf /tmp/image_mounter_p89NsL
    fusermount -u /tmp/image_mounter_Jgo7Q3
    rm -Rf /tmp/image_mounter_Jgo7Q3
    fusermount -u /tmp/image_mounter_XCJQN0
    rm -Rf /tmp/image_mounter_XCJQN0
    fusermount -u /tmp/image_mounter_nplhYL
    rm -Rf /tmp/image_mounter_nplhYL
    fusermount -u /tmp/image_mounter_IkGr8A
    rm -Rf /tmp/image_mounter_IkGr8A
    fusermount -u /tmp/image_mounter_rueEze
    rm -Rf /tmp/image_mounter_rueEze
    fusermount -u /tmp/image_mounter_Wkl3lg
    rm -Rf /tmp/image_mounter_Wkl3lg
    fusermount -u /tmp/image_mounter_OdgS_J
    rm -Rf /tmp/image_mounter_OdgS_J
    fusermount -u /tmp/image_mounter_ODVxnA
    rm -Rf /tmp/image_mounter_ODVxnA
    fusermount -u /tmp/image_mounter_3XfToD
    rm -Rf /tmp/image_mounter_3XfToD
    fusermount -u /tmp/image_mounter_YQ1tTf
    rm -Rf /tmp/image_mounter_YQ1tTf
    fusermount -u /tmp/image_mounter_QX19yT
    rm -Rf /tmp/image_mounter_QX19yT
    fusermount -u /tmp/image_mounter_PjLchA
    rm -Rf /tmp/image_mounter_PjLchA
    fusermount -u /tmp/image_mounter_RWgWyv
    rm -Rf /tmp/image_mounter_RWgWyv
    fusermount -u /tmp/image_mounter_BIJZCC
    rm -Rf /tmp/image_mounter_BIJZCC
    fusermount -u /tmp/image_mounter_nL39C7
    rm -Rf /tmp/image_mounter_nL39C7
    fusermount -u /tmp/image_mounter_Bj4RqI
    rm -Rf /tmp/image_mounter_Bj4RqI
    fusermount -u /tmp/image_mounter_Mr1ZCd
    rm -Rf /tmp/image_mounter_Mr1ZCd
    fusermount -u /tmp/image_mounter_nPgaE9
    rm -Rf /tmp/image_mounter_nPgaE9
    fusermount -u /tmp/image_mounter_NFArMV
    rm -Rf /tmp/image_mounter_NFArMV
    fusermount -u /tmp/image_mounter_a8DTZB
    rm -Rf /tmp/image_mounter_a8DTZB
    fusermount -u /tmp/image_mounter_DE8HVZ
    rm -Rf /tmp/image_mounter_DE8HVZ
    fusermount -u /tmp/image_mounter_HqLYgp
    rm -Rf /tmp/image_mounter_HqLYgp
    fusermount -u /tmp/image_mounter_cycRMo
    rm -Rf /tmp/image_mounter_cycRMo
    fusermount -u /tmp/image_mounter_w1lvq7
    rm -Rf /tmp/image_mounter_w1lvq7
    fusermount -u /tmp/image_mounter_XUDuFz
    rm -Rf /tmp/image_mounter_XUDuFz
>>> Press [enter] to continue or ^C to cancel...

It looks like (but I haven't confirmed) there's one for each .Exx file, up until the one that caused it to run out of RAM.

Thanks for your help troubleshooting this!

ralphje commented 8 years ago

OK, it appears as if imount is screwing it up and thinks it needs to mount every EnCase file seperately. How are you calling the imount command? If you call it like this: imount file.E*, then it might behave this way. You should then use imount file.E01. That should work.

Otherwise, it would help if you could include the top 100 lines or so (until it starts repeating) from the -vvvv output of mounting it, including the command itself (removing anything sensitive).

anseljh commented 8 years ago

I had been calling with .E* before, so I've changed that to just the first (.E01) file. Still fails, but right away and with a different error.

The command is:

sudo imount -vvvv -k -md /media/XXX/QNK05.E01 --fstypes ntfs -o 2

(Sensitive data replaced with XXX)

This now outputs:

Development release v3.0.0a2. Please report any bugs you encounter.
Bug reports: use -vvvv to get maximum verbosity and include  imount --check  output in your report
Critical bug? Use git tag to list all versions and use git checkout <version>
[!] You are forcing the file system type to ntfs. This may cause unexpected results.
[-] You must specify at least one path to a disk image

Previously, I'd been running:

sudo imount -vvvv -k -md /media/XXX/QNK05.E* --fstypes ntfs -o 2

Which outputs:

Development release v3.0.0a2. Please report any bugs you encounter.
Bug reports: use -vvvv to get maximum verbosity and include  imount --check  output in your report
Critical bug? Use git tag to list all versions and use git checkout <version>
[!] You are forcing the file system type to ntfs. This may cause unexpected results.
    imagemounter version 3.0.0a2
[+] Mounting image /media/XXX/QNK05.E01 using auto...
  $ ewfmount -X allow_other /media/XXX/QNK05.E01 /tmp/image_mounter_oi44d0
    Raw path to disk is /tmp/image_mounter_oi44d0/ewf1
  $ disktype /tmp/image_mounter_oi44d0/ewf1
  < 
  < --- /tmp/image_mounter_oi44d0/ewf1
  < Regular file, size 298.1 GiB (320072933376 bytes)
  < DOS/MBR partition map
  < Partition 1: 199 MiB (208666624 bytes, 407552 sectors from 2048, bootable)
  <   Type 0x07 (HPFS/NTFS)
  <   NTFS file system
  <     Volume size 199.0 MiB (208666112 bytes, 407551 sectors)
  < Partition 2: 278.7 GiB (299255201792 bytes, 584482816 sectors from 409600)
  <   Type 0x07 (HPFS/NTFS)
  <   NTFS file system
  <     Volume size 278.7 GiB (299255201280 bytes, 584482815 sectors)
  < Partition 3: 19.09 GiB (20498612224 bytes, 40036352 sectors from 584892416)
  <   Type 0x07 (HPFS/NTFS)
  <   NTFS file system
  <     Volume size 19.09 GiB (20498611712 bytes, 40036351 sectors)
  < Partition 4: 103.3 MiB (108355584 bytes, 211632 sectors from 624928768)
  <   Type 0x0C (Win95 FAT32 (LBA))
  <   FAT32 file system (hints score 4 of 5)
  <     Volume size 99.34 MiB (104161280 bytes, 101720 clusters of 1 KiB)
  < 
[+] Mounted raw image [1/120]
[+] Mounting image /media/XXX/QNK05.E01 using auto...
  $ ewfmount -X allow_other /media/XXX/QNK05.E01 /tmp/image_mounter_Pi3OK4
    Raw path to disk is /tmp/image_mounter_Pi3OK4/ewf1
  $ disktype /tmp/image_mounter_Pi3OK4/ewf1
  < 
  < --- /tmp/image_mounter_Pi3OK4/ewf1
  < Regular file, size 298.1 GiB (320072933376 bytes)
  < DOS/MBR partition map
  < Partition 1: 199 MiB (208666624 bytes, 407552 sectors from 2048, bootable)
  <   Type 0x07 (HPFS/NTFS)
  <   NTFS file system
  <     Volume size 199.0 MiB (208666112 bytes, 407551 sectors)
  < Partition 2: 278.7 GiB (299255201792 bytes, 584482816 sectors from 409600)
  <   Type 0x07 (HPFS/NTFS)
  <   NTFS file system
  <     Volume size 278.7 GiB (299255201280 bytes, 584482815 sectors)
  < Partition 3: 19.09 GiB (20498612224 bytes, 40036352 sectors from 584892416)
  <   Type 0x07 (HPFS/NTFS)
  <   NTFS file system
  <     Volume size 19.09 GiB (20498611712 bytes, 40036351 sectors)
  < Partition 4: 103.3 MiB (108355584 bytes, 211632 sectors from 624928768)
  <   Type 0x0C (Win95 FAT32 (LBA))
  <   FAT32 file system (hints score 4 of 5)
  <     Volume size 99.34 MiB (104161280 bytes, 101720 clusters of 1 KiB)
  < 
[+] Mounted raw image [2/120]
[+] Mounting image /media/XXX/QNK05.E01 using auto...
  $ ewfmount -X allow_other /media/XXX/QNK05.E01 /tmp/image_mounter_YGbEl0
    Raw path to disk is /tmp/image_mounter_YGbEl0/ewf1
  $ disktype /tmp/image_mounter_YGbEl0/ewf1
  < 
  < --- /tmp/image_mounter_YGbEl0/ewf1
  < Regular file, size 298.1 GiB (320072933376 bytes)
  < DOS/MBR partition map
  < Partition 1: 199 MiB (208666624 bytes, 407552 sectors from 2048, bootable)
  <   Type 0x07 (HPFS/NTFS)
  <   NTFS file system
  <     Volume size 199.0 MiB (208666112 bytes, 407551 sectors)
  < Partition 2: 278.7 GiB (299255201792 bytes, 584482816 sectors from 409600)
  <   Type 0x07 (HPFS/NTFS)
  <   NTFS file system
  <     Volume size 278.7 GiB (299255201280 bytes, 584482815 sectors)
  < Partition 3: 19.09 GiB (20498612224 bytes, 40036352 sectors from 584892416)
  <   Type 0x07 (HPFS/NTFS)
  <   NTFS file system
  <     Volume size 19.09 GiB (20498611712 bytes, 40036351 sectors)
  < Partition 4: 103.3 MiB (108355584 bytes, 211632 sectors from 624928768)
  <   Type 0x0C (Win95 FAT32 (LBA))
  <   FAT32 file system (hints score 4 of 5)
  <     Volume size 99.34 MiB (104161280 bytes, 101720 clusters of 1 KiB)
  < 
[+] Mounted raw image [3/120]
[+] Mounting image /media/XXX/QNK05.E01 using auto...
  $ ewfmount -X allow_other /media/XXX/QNK05.E01 /tmp/image_mounter_XCAchq
    Raw path to disk is /tmp/image_mounter_XCAchq/ewf1
  $ disktype /tmp/image_mounter_XCAchq/ewf1
  < 
  < --- /tmp/image_mounter_XCAchq/ewf1
  < Regular file, size 298.1 GiB (320072933376 bytes)
  < DOS/MBR partition map
  < Partition 1: 199 MiB (208666624 bytes, 407552 sectors from 2048, bootable)
  <   Type 0x07 (HPFS/NTFS)
  <   NTFS file system
  <     Volume size 199.0 MiB (208666112 bytes, 407551 sectors)
  < Partition 2: 278.7 GiB (299255201792 bytes, 584482816 sectors from 409600)
  <   Type 0x07 (HPFS/NTFS)
  <   NTFS file system
  <     Volume size 278.7 GiB (299255201280 bytes, 584482815 sectors)
  < Partition 3: 19.09 GiB (20498612224 bytes, 40036352 sectors from 584892416)
  <   Type 0x07 (HPFS/NTFS)
  <   NTFS file system
  <     Volume size 19.09 GiB (20498611712 bytes, 40036351 sectors)
  < Partition 4: 103.3 MiB (108355584 bytes, 211632 sectors from 624928768)
  <   Type 0x0C (Win95 FAT32 (LBA))
  <   FAT32 file system (hints score 4 of 5)
  <     Volume size 99.34 MiB (104161280 bytes, 101720 clusters of 1 KiB)
  < 
[+] Mounted raw image [4/120]
[+] Mounting image /media/XXX/QNK05.E01 using auto...
  $ ewfmount -X allow_other /media/XXX/QNK05.E01 /tmp/image_mounter_2Xks6r

etc.

ralphje commented 8 years ago

The -md flag is totally out of place there. That seems to be your problem. You should never have to specify all E\ images with imount

anseljh commented 8 years ago

Thank you! User error. :smile: