mountwin ewf1 /mnt/windows_mount error

[omar11alhajj]

Hello

I installed sift through official OVA download. then updated, but not upgraded. followed the official video in SIFT youtube. I got .E01 image of my own sandisk drive in NTFS. followed all instructions but when i get to mountwin ewf1 /mnt/windows_mount it throws this error: root@siftworkstation:/mnt/ewf_mount# mountwin ewf1 /mnt/windows_mount mount: /mnt/windows_mount: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.

i tried .e01, dd images as well. i tried exfat, and ntfs system files as well.

no difference.

[omar11alhajj]

Or do I actually have to create an image from an operating system? Like the C drive should be imaged? But what if want to analyze a usb?

[digitalsleuth]

Hi @omar11alhajj , have you checked the partition structure of the ewf1 "image" to see if it needs to be mounted at a specific offset? You can try mmls ewf1 from the directory where your ewf1 image is. If it does need an offset, you can add the offset to the mountwin command by adding -o offset= before the "ewf1" part of your command, like so:

mountwin -o offset=$((2048*512)) ewf1 /mnt/windows_mount - assuming your offset is 2048 and the sector size is 512.

[omar11alhajj]

thanks alot @digitalsleuth

the offset is 0.

i am also a beginner, could you suggest some good references? thank you

[omar11alhajj]

any suggestions please?

I am not able to move forward because of this single error!

[digitalsleuth]

Hi @omar11alhajj , sorry for the delay in getting back to you, been a bit busy this week.

Looking at what you have as your output from mmls, your contents look like they exist in slot 000, beginning at offset 2048. You can try the following command:

mountwin -o offset=$((2048*512)) ewf1 /mnt/windows_mount

Assuming you don't already have something mounted at /mnt/windows_mount. Otherwise you can just change the mount point to something else and you should be good.

[omar11alhajj]

Hey @digitalsleuth

thanks a ton dude, it really worked.

but i still have a question(s):

• this will mount only the main data partition. ? what about others? like unallocated, partition table, etc.,
• plus, why the offset sector in previous image was given as 0?
• can you please suggest resources that help me become a pro? I am taking this very seriously and i enjoy it, so i am trying to find resources that will help me become a real professional in the field.

thanks!

[digitalsleuth]

HI @omar11alhajj , in response to your questions above:

• Yes, the offset I gave you (2048) does only mount the Main Data Partition, but if you want to see any other partitions (if they're mountable), then you can just change the offset. However, if you're looking to get more info for the Unallocated or the Partition Table, they don't technically have a file system structure which can be mounted, which is why they don't have a Slot value from the mmls command. You can use the other Sleuthkit tools, a disk editor, or even dd to view the data at those offsets to carve or export that information out.
• If I'm not mistaken, the "Offset Sector: 0" from mmls is just letting you know that, if there were additional sectors detected before the start of this disk, this is how far offset from the beginning of the disk / image the data is.
• There are a lot of resources to help you get further into Digital Forensics:
  • You can check sans.org and click on "Resources" at the top
  • See a list of available training at https://www.dfir.training/
  • You can also check out the Forensics Wiki: https://forensics.wiki/

I hope this helps!

[omar11alhajj]

thank you.

I cannot be more grateful.