Digital Forensics & Incident Response
  • Welcome
  • General Notes
    • Azure Blob storage with NGINX proxy
    • Install and Configure ZeroTier client
    • S3FS Fuse and MinIO
    • Enable nested VT-X/AMD-V
    • mitm proxy
    • Exploring Volume Shadow Copies Manually
    • Resize VMDK/VDI
    • Resize VMDK on ESXi
    • Convert raw to vmdk
    • Favicon hashing and hunting with Shodan
    • WinRM/RemotePS
    • MinIO/S3/R2 ghost files
    • Mount E01 containing VMDK/XFS from RHEL system
    • Disk images for various filesystems and configurations
      • ext4 with LVM and RAID5 (3 disks)
      • ZFS
      • UFS, FFS, BTRFS, XFS
      • ext4, LVM, and LUKS1/LUKS2
      • NTFS, FAT32, with BitLocker
      • NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt
    • VirtualBox adapters greyed out
    • Exporting SQLite blob data from standalone SQLite database using command line tools
  • Microsoft Defender KQL
    • Introduction to KQL
  • Windows Forensics
    • PsExec
      • PsExec and NTUSER data
    • Security Patch/KB Install Date
  • Linux Forensics
    • Inspecting RPM/DEB packages
    • Common Locations
  • ESXi Forensics
    • Mount external USB device in ESXi hypervisor
    • Understanding ESXi
      • Partitions / Volumes
      • ESXi console / shell
      • Guest Virtual Machines
    • General Notes
    • Triage and Imaging
    • ESXi VMFS Exploration
    • Export OVF from ESXi using OVF Tool
    • Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
  • Memory Forensics
    • Volatility
      • Volatility3 core commands
      • Build Custom Linux Profile for Volatility
      • Generate custom profile using btf2json
      • Banners, isfinfo, and custom profiles
      • Volatility2 core commands
      • 3rd Party Plugins
    • Acquisition
      • ESXi / VMware Workstation snapshots
      • DumpIt
      • WinPMem
      • Linux / AVML
  • Incident Response
    • Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887
    • VirusTotal & hash lists
    • Unix-like Artifacts Collector (UAC)
      • Setup MinIO (object storage)
      • Create S3 pre-signed URL
      • UAC and pre-signed URLs
    • Acquiring Linux VPS via SSH
    • AVML dump to SMB / AWS
    • China Chopper webshell
    • Logging Powershell activities
    • Compromised UniFi Controller
    • AnyDesk Remote Access
    • Mounting UFS VMDK from NetScaler/Citrix ADC
  • iOS Forensics
    • Checkm8 / checkra1n acquisitions/extractions
  • CTF / Challenges
    • 13Cubed Linux memory forensics
    • Compromised Windows Server 2022 (simulation)
      • FTK Imager
      • Autopsy Forensics
      • Plaso
      • Events Ripper
      • EZ tools
    • DEFCON 2019 forensics
    • Tomcat shells
    • Magnet Weekly CTF
      • Magnet CTF Week 0
      • Magnet CTF Week 1
    • DFIR Madness CTF
      • Case 001 - Szechuan Sauce
  • Log Files
    • Windows
      • Generating Log Timelines
  • Malware Analysis
    • Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
    • PDF Analysis
  • Walking the VAD tree
  • OpenCTI
    • What is CTI/OpenCTI?
    • Setting up OpenCTI
    • Container Management
    • Configure Connectors
  • Vulnerability Management
    • Setting Up Nessus (Essentials)
    • Troubleshooting
  • Privacy
Powered by GitBook
On this page
  • First method - using xmount and kpartx
  • Second method - using ewfmount and guestfish

Was this helpful?

  1. General Notes

Mount E01 containing VMDK/XFS from RHEL system

You're provided with an E01 of a VMDK from a RedHat Enterprise Linux system, which is formatted using XFS and is part of an LVM group.

We created a RedHat Linux (RHEL) v9.2 virtual machine with a single 10GB virtual disk, formatted with XFS, and part of an LVM. We created a file called 'files.txt' on the user's desktop.

We have the following file; RHEL-9.2-LVM-XFS.E01

The following will provide two examples of how to mount an E01 file and inspect its contents.

My preference is to use a combination of xmount, kpartx, and lvscan. This will provide you with the ability to mount the E01 (either single file or split segments), create/map partitions using kpartx, scan for LVM segments using lvscan, and then mount it using mount.

The second method is to use ewfmount, and guestfish.

You'll need the following tools;

  • xmount; mount/convert mulitple input file types (including ewf/E01 images, virtual disks, etc)

  • kpartx; reads partition tables on block devices and maps partitions

  • diskinfo; display information about a disk device

  • ewftools; mount E01 files read-only (no cache, optional)

  • sleuthkit; inspect filesystem information using mmls and fls (optional)

$ file RHEL-9.2-LVM-XFS.E01
RHEL-9.2-LVM-XFS.E01: EWF/Expert Witness/EnCase image file format

First method - using xmount and kpartx

Use xmount to mount the disk

$ sudo xmount --in ewf RHEL-9.2-LVM-XFS.E01 --out vmdk --cache rhel-cache /mnt/RHEL

--in ewf specifies input format (can be a range of E01 segments (use E?? instead of E01))

-- out vmdk specifies output format (can be multiple formats, raw, vhd, vmdk, etc)

--cache rhel-cache the output temp cache folder (as a write overlay) for temporary image writes

/mnt/RHEL the location we want to mount our image

$ ls /mnt/RHEL
RHEL-9.2-LVM-XFS.dd  RHEL-9.2-LVM-XFS.info  RHEL-9.2-LVM-XFS.vmdk

Identify partitions from raw (dd) image

$ disktype /mnt/RHEL/RHEL-9.2-LVM-XFS.dd

--- RHEL-9.2-LVM-XFS.dd
Regular file, size 10 GiB (10737418240 bytes)
GRUB boot loader, unknown compat version 1
DOS/MBR partition map
Partition 1: 1 GiB (1073741824 bytes, 2097152 sectors from 2048, bootable)
  Type 0x83 (Linux)
  XFS file system, version 5
    Volume name ""
    UUID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx (DCE, v4)
    Volume size 1 GiB (1073741824 bytes, 262144 blocks of 4 KiB)
Partition 2: 8.999 GiB (9662627840 bytes, 18872320 sectors from 2099200)
  Type 0x8E (Linux LVM)
  Linux LVM2 volume, version 001
    LABELONE label at sector 1
    PV UUID xxxxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxxx
    Volume size 8.999 GiB (9662627840 bytes)
    Meta-data version 1
$ sudo fdisk -l /mnt/RHEL/RHEL-9.2-LVM-XFS.dd
Disk /mnt/RHEL/RHEL-9.2-LVM-XFS.dd: 10 GiB, 10737418240 bytes, 20971520 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa35043bb

Device                         Boot   Start      End  Sectors Size Id Type
/mnt/RHEL/RHEL-9.2-LVM-XFS.dd1 *       2048  2099199  2097152   1G 83 Linux
/mnt/RHEL/RHEL-9.2-LVM-XFS.dd2      2099200 20971519 18872320   9G 8e Linux LVM

We can see from the output of both disktype and fdisk that the second partition (starting at offset 2099200) is a Linux LVM member.

Use kpartx to mount both partitions

$ sudo kpartx -a -v /mnt/RHEL/RHEL-9.2-LVM-XFS.dd
loop0p1 : 0 2097152 /dev/loop0 2048
loop0p2 : 0 18872320 /dev/loop0 2099200
$ ls /dev/mapper
control  loop0p1  loop0p2
$ ls -lah /dev/mapper/loop0p2
lrwxrwxrwx 1 root root 7 Aug 20 12:53 /dev/mapper/loop0p2 -> ../dm-1
$ sudo lvscan
  ACTIVE            '/dev/rhel/root' [<8.00 GiB] inherit
  ACTIVE            '/dev/rhel/swap' [1.00 GiB] inherit

Mount root partition to destination mount point 

$ sudo mount /dev/rhel/root /mnt/rhel2

See if we can access the file 'files.txt' on the user's desktop

$ ls /mnt/rhel2/home/
username
$ cat /mnt/rhel2/home/username/Desktop/files.txt
all the secrets!

Second method - using ewfmount and guestfish

$ sudo mkdir /mnt/RHEL
$ sudo ewfmount RHEL-9.2-LVM-XFS.E01 /mnt/RHEL
$ sudo ls /mnt/RHEL
ewf1

$ sudo fdisk -l /mnt/RHEL/ewf1
Disk /mnt/RHEL/ewf1: 10 GiB, 10737418240 bytes, 20971520 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa35043bb

Device           Boot   Start      End  Sectors Size Id Type
/mnt/RHEL/ewf1p1 *       2048  2099199  2097152   1G 83 Linux
/mnt/RHEL/ewf1p2      2099200 20971519 18872320   9G 8e Linux LVM

We can see the above partition (p2) is an LVM member.

$ sudo losetup -r -o $((512*2099200) /dev/loop0 /mnt/RHEL/ewf1

$ cd /mnt/RHEL
$ mount /dev/loop0 /mnt/rhel-mount
mount: /mnt/RHEL2: unknown filesystem type 'LVM2_member

Now, since ewfmount doesn't support write overlay, I always seem to run into errors with XFS filesystems (even mounting using the -ro option). Probably PEBKAC, tbh.

Run vgscan to see volume group objects

$ vgscan
  Found volume group "rhel" using metadata type lvm2

Run lvscan to see logical volumes;

$ lvscan
  inactive          '/dev/rhel/root' [<8.00 GiB] inherit
  inactive          '/dev/rhel/swap' [1.00 GiB] inherit

Activate;

$ vgchange --activate y rhel
$ lvscan
  ACTIVE            '/dev/rhel/root' [<8.00 GiB] inherit
  ACTIVE            '/dev/rhel/swap' [1.00 GiB] inherit

Try and mount /dev/rhel/root (which is just a symlink back to /dev/mapper/dm-*)

mount /dev/rhel/root /mnt/rhel2
mount: /mnt/rhel2: can't read superblock on /dev/rhel/root.

Run dmesg to see a stack of I/O read/write errors;

$ dmesg

[  801.785731] XFS (dm-0): log recovery write I/O error at daddr 0x35b2 len 4096 error -5
[  801.785737] XFS (dm-0): failed to locate log tail
[  801.785738] XFS (dm-0): log mount/recovery failed: error -5
[  801.786364] XFS (dm-0): log mount failed
[  864.069403] XFS (dm-0): Mounting V5 Filesystem
[  864.074516] Trying to write to read-only block-device loop0
[  864.074551] Trying to write to read-only block-device loop0
[  864.074709] blk_update_request: I/O error, dev loop0, sector 8400354 op 0x1:(WRITE) flags 0x5800 phys_seg 20 prio class 0
[  864.074718] blk_update_request: I/O error, dev loop0, sector 8402914 op 0x1:(WRITE) flags 0x1800 phys_seg 12 prio class 0
[  864.074728] XFS (dm-0): log recovery write I/O error at daddr 0x35b2 len 4096 error -5

So we can mount /dev/rhel/root using the -ro and loop options;

$ mount -o ro,loop /dev/rhel/root /mnt/rhel2
$ ls /mnt/rhel2/home/username/Desktop/
files.txt
$ cat /mnt/rhel2/home/username/Desktop/files.txt
all the secrets!

Another way is to mount using guestfish

$ guestfish --ro -a /mnt/RHEL/ewf1

Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.

Type: ‘help’ for help on commands
      ‘man’ to read the manual
      ‘quit’ to quit the shell

><fs> run
 100% ⟦▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒⟧ 00:00
><fs> list-filesystems
/dev/sda1: xfs
/dev/rhel/root: xfs
/dev/rhel/swap: swap
><fs> mount /dev/rhel/root /
><fs> mount-local /mnt/rhel-mount readonly:true
><fs> mount-local-run

In another terminal/tab

$ cat /mnt/rhel-mount/home/username/Desktop/files.txt
all the secrets!
PreviousMinIO/S3/R2 ghost filesNextDisk images for various filesystems and configurations

Last updated 1 year ago

Was this helpful?