# Mount E01 containing VMDK/XFS from RHEL system
We created a RedHat Linux (RHEL) v9.2 virtual machine with a single 10GB virtual disk, formatted with XFS, and part of an LVM. We created a file called 'files.txt' on the user's desktop.
We have the following file; `RHEL-9.2-LVM-XFS.E01`
The following will provide two examples of how to mount an E01 file and inspect its contents.
My preference is to use a combination of xmount, kpartx, and lvscan. This will provide you with the ability to mount the E01 (either single file or split segments), create/map partitions using kpartx, scan for LVM segments using lvscan, and then mount it using mount.
The second method is to use ewfmount, and guestfish.
You'll need the following tools;
* xmount; mount/convert mulitple input file types (including ewf/E01 images, virtual disks, etc)
* kpartx; reads partition tables on block devices and maps partitions
* diskinfo; display information about a disk device
* ewftools; mount E01 files read-only (no cache, optional)
* sleuthkit; inspect filesystem information using mmls and fls (optional)
```
$ file RHEL-9.2-LVM-XFS.E01
RHEL-9.2-LVM-XFS.E01: EWF/Expert Witness/EnCase image file format
```
## First method - using xmount and kpartx
**Use xmount to mount the disk**
```
$ sudo xmount --in ewf RHEL-9.2-LVM-XFS.E01 --out vmdk --cache rhel-cache /mnt/RHEL
```
`--in ewf` specifies input format (can be a range of E01 segments (use E?? instead of E01))
`-- out vmdk` specifies output format (can be multiple formats, raw, vhd, vmdk, etc)
`--cache rhel-cache` the output temp cache folder (as a write overlay) for temporary image writes
`/mnt/RHEL` the location we want to mount our image
$ ls /mnt/RHEL
RHEL-9.2-LVM-XFS.dd RHEL-9.2-LVM-XFS.info RHEL-9.2-LVM-XFS.vmdk
**Identify partitions from raw (dd) image**
$ disktype /mnt/RHEL/RHEL-9.2-LVM-XFS.dd
--- RHEL-9.2-LVM-XFS.dd
Regular file, size 10 GiB (10737418240 bytes)
GRUB boot loader, unknown compat version 1
DOS/MBR partition map
Partition 1: 1 GiB (1073741824 bytes, 2097152 sectors from 2048, bootable)
Type 0x83 (Linux)
XFS file system, version 5
Volume name ""
UUID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx (DCE, v4)
Volume size 1 GiB (1073741824 bytes, 262144 blocks of 4 KiB)
Partition 2: 8.999 GiB (9662627840 bytes, 18872320 sectors from 2099200)
Type 0x8E (Linux LVM)
Linux LVM2 volume, version 001
LABELONE label at sector 1
PV UUID xxxxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxxx
Volume size 8.999 GiB (9662627840 bytes)
Meta-data version 1
```
$ sudo fdisk -l /mnt/RHEL/RHEL-9.2-LVM-XFS.dd
Disk /mnt/RHEL/RHEL-9.2-LVM-XFS.dd: 10 GiB, 10737418240 bytes, 20971520 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa35043bb
Device Boot Start End Sectors Size Id Type
/mnt/RHEL/RHEL-9.2-LVM-XFS.dd1 * 2048 2099199 2097152 1G 83 Linux
/mnt/RHEL/RHEL-9.2-LVM-XFS.dd2 2099200 20971519 18872320 9G 8e Linux LVM
```
We can see from the output of both disktype and fdisk that the second partition (starting at offset 2099200) is a Linux LVM member.
**Use kpartx to mount both partitions**
```
$ sudo kpartx -a -v /mnt/RHEL/RHEL-9.2-LVM-XFS.dd
loop0p1 : 0 2097152 /dev/loop0 2048
loop0p2 : 0 18872320 /dev/loop0 2099200
```
```
$ ls /dev/mapper
control loop0p1 loop0p2
```
```
$ ls -lah /dev/mapper/loop0p2
lrwxrwxrwx 1 root root 7 Aug 20 12:53 /dev/mapper/loop0p2 -> ../dm-1
$ sudo lvscan
ACTIVE '/dev/rhel/root' [<8.00 GiB] inherit
ACTIVE '/dev/rhel/swap' [1.00 GiB] inherit
```
**Mount root partition to destination mount point**
```
$ sudo mount /dev/rhel/root /mnt/rhel2
```
**See if we can access the file 'files.txt' on the user's desktop**
```
$ ls /mnt/rhel2/home/
username
$ cat /mnt/rhel2/home/username/Desktop/files.txt
all the secrets!
```
## Second method - using ewfmount and guestfish
```
$ sudo mkdir /mnt/RHEL
$ sudo ewfmount RHEL-9.2-LVM-XFS.E01 /mnt/RHEL
$ sudo ls /mnt/RHEL
ewf1
```
```
$ sudo fdisk -l /mnt/RHEL/ewf1
Disk /mnt/RHEL/ewf1: 10 GiB, 10737418240 bytes, 20971520 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa35043bb
Device Boot Start End Sectors Size Id Type
/mnt/RHEL/ewf1p1 * 2048 2099199 2097152 1G 83 Linux
/mnt/RHEL/ewf1p2 2099200 20971519 18872320 9G 8e Linux LVM
```
We can see the above partition (p2) is an LVM member.
```
$ sudo losetup -r -o $((512*2099200) /dev/loop0 /mnt/RHEL/ewf1
$ cd /mnt/RHEL
$ mount /dev/loop0 /mnt/rhel-mount
mount: /mnt/RHEL2: unknown filesystem type 'LVM2_member
```
Now, since ewfmount doesn't support write overlay, I always seem to run into errors with XFS filesystems (even mounting using the -ro option). Probably PEBKAC, tbh.
**Run vgscan to see volume group objects**
```
$ vgscan
Found volume group "rhel" using metadata type lvm2
```
**Run lvscan to see logical volumes**;
$ lvscan
inactive '/dev/rhel/root' [<8.00 GiB] inherit
inactive '/dev/rhel/swap' [1.00 GiB] inherit
**Activate**;
```
$ vgchange --activate y rhel
$ lvscan
ACTIVE '/dev/rhel/root' [<8.00 GiB] inherit
ACTIVE '/dev/rhel/swap' [1.00 GiB] inherit
```
**Try and mount `/dev/rhel/root` (which is just a symlink back to /dev/mapper/dm-\*)**
```
mount /dev/rhel/root /mnt/rhel2
mount: /mnt/rhel2: can't read superblock on /dev/rhel/root.
```
**Run dmesg to see a stack of I/O read/write errors;**
```
$ dmesg
[ 801.785731] XFS (dm-0): log recovery write I/O error at daddr 0x35b2 len 4096 error -5
[ 801.785737] XFS (dm-0): failed to locate log tail
[ 801.785738] XFS (dm-0): log mount/recovery failed: error -5
[ 801.786364] XFS (dm-0): log mount failed
[ 864.069403] XFS (dm-0): Mounting V5 Filesystem
[ 864.074516] Trying to write to read-only block-device loop0
[ 864.074551] Trying to write to read-only block-device loop0
[ 864.074709] blk_update_request: I/O error, dev loop0, sector 8400354 op 0x1:(WRITE) flags 0x5800 phys_seg 20 prio class 0
[ 864.074718] blk_update_request: I/O error, dev loop0, sector 8402914 op 0x1:(WRITE) flags 0x1800 phys_seg 12 prio class 0
[ 864.074728] XFS (dm-0): log recovery write I/O error at daddr 0x35b2 len 4096 error -5
```
**So we can mount /dev/rhel/root using the -ro and loop options;**
```
$ mount -o ro,loop /dev/rhel/root /mnt/rhel2
$ ls /mnt/rhel2/home/username/Desktop/
files.txt
$ cat /mnt/rhel2/home/username/Desktop/files.txt
all the secrets!
```
Another way is to mount using guestfish
```
$ guestfish --ro -a /mnt/RHEL/ewf1
Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.
Type: ‘help’ for help on commands
‘man’ to read the manual
‘quit’ to quit the shell
> run
100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ 00:00
> list-filesystems
/dev/sda1: xfs
/dev/rhel/root: xfs
/dev/rhel/swap: swap
> mount /dev/rhel/root /
> mount-local /mnt/rhel-mount readonly:true
> mount-local-run
```
In another terminal/tab
```
$ cat /mnt/rhel-mount/home/username/Desktop/files.txt
all the secrets!
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.iblue.team/general-notes-1/mount-e01-containing-vmdk-xfs-from-rhel-system.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.