Skip to main content

How to mount .E01 forensic image file into linux

https://bwiggs.com/posts/2021-07-25-cyberdefenders-hacked/

Here Webserver.E01 is our forensic image.

Install Command line tools

  • ewf-tools provides tools to work with the EWF file formats
  • sleuthkit provides tools to work with the filesystme images (no need here)
  • kpartx reads partition tables on specified device and create device maps over partitions segments detected

$ apt-get install ewf-tools sleuthkit kpartx

 

Use root to do the following but here we are doing as normal user, you can see the dollar $ sign.:
$ mkdir mnt (this folder is created under /home/avi/ and assuming we are in /home/avi/ directory) 
$ sudo ewfmount /home/avi/Desktop/Hacked/Webserver.E01 mnt
  ewfmount 20140807 

Now to see the partition you need root access. Otherwise you will not be able to see that. 

# ls -la /home/avi/mnt

 -r--r--r-- 1 root root 32G Jul 25 00:36 ewf1

 

Now you can see that, ewf1 named partition is created. 


Linux LVM Partition for parrot:


$ sudo kpartx -a -v mnt/ewf1
add map loop0p1 (253:0): 0 497664 linear 7:0 2048
add map loop0p2 (253:1): 0 2 linear 7:0 501758
add map loop0p5 (253:2): 0 65562624 linear 7:0 501760


# checkout the lvm volumes and get their paths
 
$ sudo lvscan
 
/dev/sda: open failed: No medium found
WARNING: PV /dev/mapper/loop0p5 in VG VulnOSv2-vg is using an old PV header, modify the VG to update.
ACTIVE            '/dev/VulnOSv2-vg/root' [30.51 GiB] inherit
ACTIVE            '/dev/VulnOSv2-vg/swap_1' [768.00 MiB] inherit
 
# mount those volumes to your filesystem
 
$ sudo mount -o ro,noload /dev/VulnOSv2-vg/root mnt1/linux (here mnt1 is created under /home/avi/ directory) 
$ ls -l mnt1/linux
 
total 104K
drwxr-xr-x  21 root       root       4.0K Apr  3  2016 .
drwxrwxr-x   4 bwigginton bwigginton 4.0K Jul 25 01:01 ..
drwxr-xr-x   2 root       root       4.0K Apr 16  2016 bin
drwxr-xr-x   2 root       root       4.0K Apr  3  2016 boot
drwxr-xr-x   4 root       root       4.0K Apr  3  2016 dev
drwxr-xr-x 102 root       root       4.0K Oct  5  2019 etc
drwxr-xr-x   4 root       root       4.0K Apr 16  2016 home
lrwxrwxrwx   1 root       root         33 Apr  3  2016 initrd.img -> boot/initrd.img-3.13.0-24-generic
drwxr-xr-x  21 root       root       4.0K Apr  3  2016 lib
drwx------   2 root       root        16K Apr  3  2016 lost+found
drwxr-xr-x   3 root       root       4.0K Apr  3  2016 media
drwxr-xr-x   2 root       root       4.0K Apr 10  2014 mnt
drwxr-xr-x   2 root       root       4.0K Apr 16  2014 opt
drwxr-xr-x   2 root       root       4.0K Apr 10  2014 proc
drwx------   3 root       root       4.0K Oct  5  2019 root
drwxr-xr-x   2 root       root       4.0K Apr  3  2016 run
drwxr-xr-x   2 root       root        12K Apr  3  2016 sbin
drwxr-xr-x   2 root       root       4.0K Apr 16  2014 srv
drwxr-xr-x   2 root       root       4.0K Mar 12  2014 sys
drwxrwxrwx   2 root       root       4.0K Oct  5  2019 tmp
drwxr-xr-x  11 root       root       4.0K Oct  5  2019 usr
drwxr-xr-x  13 root       root       4.0K Apr  3  2016 var
lrwxrwxrwx   1 root       root         30 Apr  3  2016 vmlinuz -> boot/vmlinuz-3.13.0-24-generic 


 


Comments

Post a Comment