Mount E01 containing VMDK/XFS from RHEL system

You're provided with an E01 of a VMDK from a RedHat Enterprise Linux system, which is formatted using XFS and is part of an LVM group.

We created a RedHat Linux (RHEL) v9.2 virtual machine with a single 10GB virtual disk, formatted with XFS, and part of an LVM. We created a file called 'files.txt' on the user's desktop.

We have the following file; RHEL-9.2-LVM-XFS.E01

The following will provide two examples of how to mount an E01 file and inspect its contents.

My preference is to use a combination of xmount, kpartx, and lvscan. This will provide you with the ability to mount the E01 (either single file or split segments), create/map partitions using kpartx, scan for LVM segments using lvscan, and then mount it using mount.

The second method is to use ewfmount, and guestfish.

You'll need the following tools;

  • xmount; mount/convert mulitple input file types (including ewf/E01 images, virtual disks, etc)

  • kpartx; reads partition tables on block devices and maps partitions

  • diskinfo; display information about a disk device

  • ewftools; mount E01 files read-only (no cache, optional)

  • sleuthkit; inspect filesystem information using mmls and fls (optional)

$ file RHEL-9.2-LVM-XFS.E01
RHEL-9.2-LVM-XFS.E01: EWF/Expert Witness/EnCase image file format

First method - using xmount and kpartx

Use xmount to mount the disk

$ sudo xmount --in ewf RHEL-9.2-LVM-XFS.E01 --out vmdk --cache rhel-cache /mnt/RHEL

--in ewf specifies input format (can be a range of E01 segments (use E?? instead of E01))

-- out vmdk specifies output format (can be multiple formats, raw, vhd, vmdk, etc)

--cache rhel-cache the output temp cache folder (as a write overlay) for temporary image writes

/mnt/RHEL the location we want to mount our image

$ ls /mnt/RHEL
RHEL-9.2-LVM-XFS.dd  RHEL-9.2-LVM-XFS.info  RHEL-9.2-LVM-XFS.vmdk

Identify partitions from raw (dd) image

$ disktype /mnt/RHEL/RHEL-9.2-LVM-XFS.dd

--- RHEL-9.2-LVM-XFS.dd
Regular file, size 10 GiB (10737418240 bytes)
GRUB boot loader, unknown compat version 1
DOS/MBR partition map
Partition 1: 1 GiB (1073741824 bytes, 2097152 sectors from 2048, bootable)
  Type 0x83 (Linux)
  XFS file system, version 5
    Volume name ""
    UUID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx (DCE, v4)
    Volume size 1 GiB (1073741824 bytes, 262144 blocks of 4 KiB)
Partition 2: 8.999 GiB (9662627840 bytes, 18872320 sectors from 2099200)
  Type 0x8E (Linux LVM)
  Linux LVM2 volume, version 001
    LABELONE label at sector 1
    PV UUID xxxxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxxx
    Volume size 8.999 GiB (9662627840 bytes)
    Meta-data version 1
$ sudo fdisk -l /mnt/RHEL/RHEL-9.2-LVM-XFS.dd
Disk /mnt/RHEL/RHEL-9.2-LVM-XFS.dd: 10 GiB, 10737418240 bytes, 20971520 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa35043bb

Device                         Boot   Start      End  Sectors Size Id Type
/mnt/RHEL/RHEL-9.2-LVM-XFS.dd1 *       2048  2099199  2097152   1G 83 Linux
/mnt/RHEL/RHEL-9.2-LVM-XFS.dd2      2099200 20971519 18872320   9G 8e Linux LVM

We can see from the output of both disktype and fdisk that the second partition (starting at offset 2099200) is a Linux LVM member.

Use kpartx to mount both partitions

$ sudo kpartx -a -v /mnt/RHEL/RHEL-9.2-LVM-XFS.dd
loop0p1 : 0 2097152 /dev/loop0 2048
loop0p2 : 0 18872320 /dev/loop0 2099200
$ ls /dev/mapper
control  loop0p1  loop0p2
$ ls -lah /dev/mapper/loop0p2
lrwxrwxrwx 1 root root 7 Aug 20 12:53 /dev/mapper/loop0p2 -> ../dm-1
$ sudo lvscan
  ACTIVE            '/dev/rhel/root' [<8.00 GiB] inherit
  ACTIVE            '/dev/rhel/swap' [1.00 GiB] inherit

Mount root partition to destination mount point 

$ sudo mount /dev/rhel/root /mnt/rhel2

See if we can access the file 'files.txt' on the user's desktop

$ ls /mnt/rhel2/home/
username
$ cat /mnt/rhel2/home/username/Desktop/files.txt
all the secrets!

Second method - using ewfmount and guestfish

$ sudo mkdir /mnt/RHEL
$ sudo ewfmount RHEL-9.2-LVM-XFS.E01 /mnt/RHEL
$ sudo ls /mnt/RHEL
ewf1

$ sudo fdisk -l /mnt/RHEL/ewf1
Disk /mnt/RHEL/ewf1: 10 GiB, 10737418240 bytes, 20971520 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa35043bb

Device           Boot   Start      End  Sectors Size Id Type
/mnt/RHEL/ewf1p1 *       2048  2099199  2097152   1G 83 Linux
/mnt/RHEL/ewf1p2      2099200 20971519 18872320   9G 8e Linux LVM

We can see the above partition (p2) is an LVM member.

$ sudo losetup -r -o $((512*2099200) /dev/loop0 /mnt/RHEL/ewf1

$ cd /mnt/RHEL
$ mount /dev/loop0 /mnt/rhel-mount
mount: /mnt/RHEL2: unknown filesystem type 'LVM2_member

Now, since ewfmount doesn't support write overlay, I always seem to run into errors with XFS filesystems (even mounting using the -ro option). Probably PEBKAC, tbh.

Run vgscan to see volume group objects

$ vgscan
  Found volume group "rhel" using metadata type lvm2

Run lvscan to see logical volumes;

$ lvscan
  inactive          '/dev/rhel/root' [<8.00 GiB] inherit
  inactive          '/dev/rhel/swap' [1.00 GiB] inherit

Activate;

$ vgchange --activate y rhel
$ lvscan
  ACTIVE            '/dev/rhel/root' [<8.00 GiB] inherit
  ACTIVE            '/dev/rhel/swap' [1.00 GiB] inherit

Try and mount /dev/rhel/root (which is just a symlink back to /dev/mapper/dm-*)

mount /dev/rhel/root /mnt/rhel2
mount: /mnt/rhel2: can't read superblock on /dev/rhel/root.

Run dmesg to see a stack of I/O read/write errors;

$ dmesg

[  801.785731] XFS (dm-0): log recovery write I/O error at daddr 0x35b2 len 4096 error -5
[  801.785737] XFS (dm-0): failed to locate log tail
[  801.785738] XFS (dm-0): log mount/recovery failed: error -5
[  801.786364] XFS (dm-0): log mount failed
[  864.069403] XFS (dm-0): Mounting V5 Filesystem
[  864.074516] Trying to write to read-only block-device loop0
[  864.074551] Trying to write to read-only block-device loop0
[  864.074709] blk_update_request: I/O error, dev loop0, sector 8400354 op 0x1:(WRITE) flags 0x5800 phys_seg 20 prio class 0
[  864.074718] blk_update_request: I/O error, dev loop0, sector 8402914 op 0x1:(WRITE) flags 0x1800 phys_seg 12 prio class 0
[  864.074728] XFS (dm-0): log recovery write I/O error at daddr 0x35b2 len 4096 error -5

So we can mount /dev/rhel/root using the -ro and loop options;

$ mount -o ro,loop /dev/rhel/root /mnt/rhel2
$ ls /mnt/rhel2/home/username/Desktop/
files.txt
$ cat /mnt/rhel2/home/username/Desktop/files.txt
all the secrets!

Another way is to mount using guestfish

$ guestfish --ro -a /mnt/RHEL/ewf1

Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.

Type: ‘help’ for help on commands
      ‘man’ to read the manual
      ‘quit’ to quit the shell

><fs> run
 100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ 00:00
><fs> list-filesystems
/dev/sda1: xfs
/dev/rhel/root: xfs
/dev/rhel/swap: swap
><fs> mount /dev/rhel/root /
><fs> mount-local /mnt/rhel-mount readonly:true
><fs> mount-local-run

In another terminal/tab

$ cat /mnt/rhel-mount/home/username/Desktop/files.txt
all the secrets!
PreviousMinIO/S3/R2 ghost filesNextDisk images for various filesystems and configurations

Last updated