Mount E01 containing VMDK/XFS from RHEL system

You're provided with an E01 of a VMDK from a RedHat Enterprise Linux system, which is formatted using XFS and is part of an LVM group.
We created a RedHat Linux (RHEL) v9.2 virtual machine with a single 10GB virtual disk, formatted with XFS, and part of an LVM. We created a file called 'files.txt' on the user's desktop. 
We have the following file; RHEL-9.2-LVM-XFS.E01
The following will provide two examples of how to mount an E01 file and inspect its contents.
My preference is to use a combination of xmount, kpartx, and lvscan. This will provide you with the ability to mount the E01 (either single file or split segments), create/map partitions using kpartx, scan for LVM segments using lvscan, and then mount it using mount.
The second method is to use ewfmount, and guestfish.
You'll need the following tools;
xmount; mount/convert mulitple input file types (including ewf/E01 images, virtual disks, etc)
kpartx; reads partition tables on block devices and maps partitions
diskinfo; display information about a disk device
ewftools; mount E01 files read-only (no cache, optional)
sleuthkit; inspect filesystem information using mmls and fls (optional)
$ file RHEL-9.2-LVM-XFS.E01
RHEL-9.2-LVM-XFS.E01: EWF/Expert Witness/EnCase image file format
First method - using xmount and kpartx
Use xmount to mount the disk
$ sudo xmount --in ewf RHEL-9.2-LVM-XFS.E01 --out vmdk --cache rhel-cache /mnt/RHEL
--in ewf specifies input format (can be a range of E01 segments (use E?? instead of E01))
-- out vmdk specifies output format (can be multiple formats, raw, vhd, vmdk, etc)
--cache rhel-cache the output temp cache folder (as a write overlay) for temporary image writes
 /mnt/RHEL the location we want to mount our image
$ ls /mnt/RHEL
RHEL-9.2-LVM-XFS.dd  RHEL-9.2-LVM-XFS.info  RHEL-9.2-LVM-XFS.vmdk
Identify partitions from raw (dd) image
$ disktype /mnt/RHEL/RHEL-9.2-LVM-XFS.dd
​
--- RHEL-9.2-LVM-XFS.dd
Regular file, size 10 GiB (10737418240 bytes)
GRUB boot loader, unknown compat version 1
DOS/MBR partition map
Partition 1: 1 GiB (1073741824 bytes, 2097152 sectors from 2048, bootable)
  Type 0x83 (Linux)
  XFS file system, version 5
    Volume name ""
    UUID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx (DCE, v4)
    Volume size 1 GiB (1073741824 bytes, 262144 blocks of 4 KiB)
Partition 2: 8.999 GiB (9662627840 bytes, 18872320 sectors from 2099200)
  Type 0x8E (Linux LVM)
  Linux LVM2 volume, version 001
    LABELONE label at sector 1
    PV UUID xxxxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxxx
    Volume size 8.999 GiB (9662627840 bytes)
    Meta-data version 1
$ sudo fdisk -l /mnt/RHEL/RHEL-9.2-LVM-XFS.dd
Disk /mnt/RHEL/RHEL-9.2-LVM-XFS.dd: 10 GiB, 10737418240 bytes, 20971520 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa35043bb
​
Device                         Boot   Start      End  Sectors Size Id Type
/mnt/RHEL/RHEL-9.2-LVM-XFS.dd1 *       2048  2099199  2097152   1G 83 Linux
/mnt/RHEL/RHEL-9.2-LVM-XFS.dd2      2099200 20971519 18872320   9G 8e Linux LVM
We can see from the output of both disktype and fdisk that the second partition (starting at offset 2099200) is a Linux LVM member.
Use kpartx to mount both partitions
$ sudo kpartx -a -v /mnt/RHEL/RHEL-9.2-LVM-XFS.dd
loop0p1 : 0 2097152 /dev/loop0 2048
loop0p2 : 0 18872320 /dev/loop0 2099200
$ ls /dev/mapper
control  loop0p1  loop0p2
$ ls -lah /dev/mapper/loop0p2
lrwxrwxrwx 1 root root 7 Aug 20 12:53 /dev/mapper/loop0p2 -> ../dm-1
$ sudo lvscan
  ACTIVE            '/dev/rhel/root' [<8.00 GiB] inherit
  ACTIVE            '/dev/rhel/swap' [1.00 GiB] inherit
Mount root partition to destination mount point 
$ sudo mount /dev/rhel/root /mnt/rhel2
See if we can access the file 'files.txt' on the user's desktop
$ ls /mnt/rhel2/home/
username
$ cat /mnt/rhel2/home/username/Desktop/files.txt
all the secrets!
Second method - using ewfmount and guestfish
​
$ sudo mkdir /mnt/RHEL
$ sudo ewfmount RHEL-9.2-LVM-XFS.E01 /mnt/RHEL
$ sudo ls /mnt/RHEL
ewf1
​
$ sudo fdisk -l /mnt/RHEL/ewf1
Disk /mnt/RHEL/ewf1: 10 GiB, 10737418240 bytes, 20971520 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa35043bb
​
Device           Boot   Start      End  Sectors Size Id Type
/mnt/RHEL/ewf1p1 *       2048  2099199  2097152   1G 83 Linux
/mnt/RHEL/ewf1p2      2099200 20971519 18872320   9G 8e Linux LVM
We can see the above partition (p2) is an LVM member.
​
$ sudo losetup -r -o $((512*2099200) /dev/loop0 /mnt/RHEL/ewf1
​
$ cd /mnt/RHEL
$ mount /dev/loop0 /mnt/rhel-mount
mount: /mnt/RHEL2: unknown filesystem type 'LVM2_member
Now, since ewfmount doesn't support write overlay, I always seem to run into errors with XFS filesystems (even mounting using the -ro option). Probably PEBKAC, tbh.
Run vgscan to see volume group objects
$ vgscan
  Found volume group "rhel" using metadata type lvm2
Run lvscan to see logical volumes;
$ lvscan
  inactive          '/dev/rhel/root' [<8.00 GiB] inherit
  inactive          '/dev/rhel/swap' [1.00 GiB] inherit
Activate;
$ vgchange --activate y rhel
$ lvscan
  ACTIVE            '/dev/rhel/root' [<8.00 GiB] inherit
  ACTIVE            '/dev/rhel/swap' [1.00 GiB] inherit
Try and mount /dev/rhel/root (which is just a symlink back to /dev/mapper/dm-*)
mount /dev/rhel/root /mnt/rhel2
mount: /mnt/rhel2: can't read superblock on /dev/rhel/root.
Run dmesg to see a stack of I/O read/write errors;
$ dmesg
​
[  801.785731] XFS (dm-0): log recovery write I/O error at daddr 0x35b2 len 4096 error -5
[  801.785737] XFS (dm-0): failed to locate log tail
[  801.785738] XFS (dm-0): log mount/recovery failed: error -5
[  801.786364] XFS (dm-0): log mount failed
[  864.069403] XFS (dm-0): Mounting V5 Filesystem
[  864.074516] Trying to write to read-only block-device loop0
[  864.074551] Trying to write to read-only block-device loop0
[  864.074709] blk_update_request: I/O error, dev loop0, sector 8400354 op 0x1:(WRITE) flags 0x5800 phys_seg 20 prio class 0
[  864.074718] blk_update_request: I/O error, dev loop0, sector 8402914 op 0x1:(WRITE) flags 0x1800 phys_seg 12 prio class 0
[  864.074728] XFS (dm-0): log recovery write I/O error at daddr 0x35b2 len 4096 error -5
So we can mount /dev/rhel/root using the -ro and loop options;
$ mount -o ro,loop /dev/rhel/root /mnt/rhel2
$ ls /mnt/rhel2/home/username/Desktop/
files.txt
$ cat /mnt/rhel2/home/username/Desktop/files.txt
all the secrets!
Another way is to mount using guestfish
$ guestfish --ro -a /mnt/RHEL/ewf1
​
Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.
​
Type: ‘help’ for help on commands
      ‘man’ to read the manual
      ‘quit’ to quit the shell
​
><fs> run
 100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ 00:00
><fs> list-filesystems
/dev/sda1: xfs
/dev/rhel/root: xfs
/dev/rhel/swap: swap
><fs> mount /dev/rhel/root /
><fs> mount-local /mnt/rhel-mount readonly:true
><fs> mount-local-run
In another terminal/tab
$ cat /mnt/rhel-mount/home/username/Desktop/files.txt
all the secrets!
General Notes - Previous
MinIO/S3/R2 ghost files
Next - General Notes
Disk images for various filesystems and configurations
Last modified 1mo ago