Mounting and exporting a single linux raid partition from an E01 in Ubuntu











up vote
0
down vote

favorite












OK, so I have a forensic image (E01) of a ZyXel NAS unit (model NSA 310).
http://il.zyxel.com/es/es/ProductTab.shtml?pid=20110426084939&idx=6&c=es&l=es



Most standard forensic tools wont recognise the file system on this device, from research it either contains a XFS or EXT4 file system.



The device is password protected with an unknown password so im unable to access past the web based admin console to view its files. (resetting the devices password back to default with button reset method is not an option as we must preserve the device in its current configuration state)



The device I believe is RAID 1 configuration (although theres only 1 disk in the NAS)



I was lead to believe that the only O/S that could read this is Linux, so I have built a small PC with latest Ubuntu installed, along with EWF mount installed etc….



Please note that im not a Linux expert by any means so its quite likely that the experts will most likely mock some of my attempts below! ;)



From various research I have attempted the following:



mkdir /mnt/ewfmount



ewfmount e01 file /mnt/ewfmount



cd /mnt/ewfmount



ls -l - this now shows a file called 'ewf1'



sfdisk -l -uS ewf1 - this shows the 2 partition layout of the image file.



Device Boot Start End Sectors Size Id Type



ewf1p1 63 1028159 1028097 502M 8 AIX



ewf1p2 1028160 3907024064 3905995905 1.8T 9 AIX bootable



Do maths byte x sector start (512 x 1028160 etc) to mount beginning of main partition 2 which is the main one im interested in.



losetup -a (to check what loop device numbers are in use)



losetup -r -o math result /dev/loop* (whichever number is free) ewf1



root@Linux:/mnt/ewfmount# losetup -r -o 526417920 /dev/loop26 ewf1



This shows successful
/dev/loop26: [0053]:2 (/mnt/ewfmount/ewf1), offset 526417920



mkdir /mnt/rawmount



Final stage normally would be the following:
root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount



At this point the file system of the mounted E01 should be now available to browse as a flat file system available in Ubuntu…..



However im presented with the error:
unknown filesystem type 'linux_raid_member'.



At this point iv done some quick research and found some comments regarding rebuilding the RAID config on the Linux environment (not something iv done before)



However the research indicates that I need to have ‘mdadm’ installed.



sudo apt-get install mdadm – installed completed.



root@Linux:/mnt/ewfmount# mdadm --assemble --run /dev/loop26



mdadm: device /dev/loop26 exists but is not an md array.



root@Linux:/mnt/ewfmount# mdadm --examine /dev/loop26
/dev/loop26:



      Magic : a92b4efc
Version : 1.2
Feature Map : 0x0
Array UUID : bd8b065d:de4c3d0e:de8fdf3d:edb52ad9
Name : nsa310:0


Creation Time : Thu Dec 31 23:59:14 2009
Raid Level : linear
Raid Devices : 1



Avail Dev Size : 3905993857 (1862.52 GiB 1999.87 GB)
Used Dev Size : 0
Data Offset : 2048 sectors
Super Offset : 8 sectors
Unused Space : before=1968 sectors, after=5103 sectors
State : clean
Device UUID : 1d633f6c:d6583d3f:517c120f:b8be4edb



Update Time : Thu Dec 31 23:59:14 2009
Checksum : a43d43b2 - correct
Events : 0

Rounding : 0K


Device Role : Active device 0
Array State : A ('A' == active, '.' == missing, 'R' == replacing)



root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount/
mount: /mnt/rawmount: unknown filesystem type 'linux_raid_member'.



Iv sort of hit a wall at this point as my Linux skills and research has taken me to a dead end?



If anyone can be arsed to read the above, does anyone have any suggestions of where I am going wrong? Should I convert the E01 to raw DD image instead?










share|improve this question


























    up vote
    0
    down vote

    favorite












    OK, so I have a forensic image (E01) of a ZyXel NAS unit (model NSA 310).
    http://il.zyxel.com/es/es/ProductTab.shtml?pid=20110426084939&idx=6&c=es&l=es



    Most standard forensic tools wont recognise the file system on this device, from research it either contains a XFS or EXT4 file system.



    The device is password protected with an unknown password so im unable to access past the web based admin console to view its files. (resetting the devices password back to default with button reset method is not an option as we must preserve the device in its current configuration state)



    The device I believe is RAID 1 configuration (although theres only 1 disk in the NAS)



    I was lead to believe that the only O/S that could read this is Linux, so I have built a small PC with latest Ubuntu installed, along with EWF mount installed etc….



    Please note that im not a Linux expert by any means so its quite likely that the experts will most likely mock some of my attempts below! ;)



    From various research I have attempted the following:



    mkdir /mnt/ewfmount



    ewfmount e01 file /mnt/ewfmount



    cd /mnt/ewfmount



    ls -l - this now shows a file called 'ewf1'



    sfdisk -l -uS ewf1 - this shows the 2 partition layout of the image file.



    Device Boot Start End Sectors Size Id Type



    ewf1p1 63 1028159 1028097 502M 8 AIX



    ewf1p2 1028160 3907024064 3905995905 1.8T 9 AIX bootable



    Do maths byte x sector start (512 x 1028160 etc) to mount beginning of main partition 2 which is the main one im interested in.



    losetup -a (to check what loop device numbers are in use)



    losetup -r -o math result /dev/loop* (whichever number is free) ewf1



    root@Linux:/mnt/ewfmount# losetup -r -o 526417920 /dev/loop26 ewf1



    This shows successful
    /dev/loop26: [0053]:2 (/mnt/ewfmount/ewf1), offset 526417920



    mkdir /mnt/rawmount



    Final stage normally would be the following:
    root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount



    At this point the file system of the mounted E01 should be now available to browse as a flat file system available in Ubuntu…..



    However im presented with the error:
    unknown filesystem type 'linux_raid_member'.



    At this point iv done some quick research and found some comments regarding rebuilding the RAID config on the Linux environment (not something iv done before)



    However the research indicates that I need to have ‘mdadm’ installed.



    sudo apt-get install mdadm – installed completed.



    root@Linux:/mnt/ewfmount# mdadm --assemble --run /dev/loop26



    mdadm: device /dev/loop26 exists but is not an md array.



    root@Linux:/mnt/ewfmount# mdadm --examine /dev/loop26
    /dev/loop26:



          Magic : a92b4efc
    Version : 1.2
    Feature Map : 0x0
    Array UUID : bd8b065d:de4c3d0e:de8fdf3d:edb52ad9
    Name : nsa310:0


    Creation Time : Thu Dec 31 23:59:14 2009
    Raid Level : linear
    Raid Devices : 1



    Avail Dev Size : 3905993857 (1862.52 GiB 1999.87 GB)
    Used Dev Size : 0
    Data Offset : 2048 sectors
    Super Offset : 8 sectors
    Unused Space : before=1968 sectors, after=5103 sectors
    State : clean
    Device UUID : 1d633f6c:d6583d3f:517c120f:b8be4edb



    Update Time : Thu Dec 31 23:59:14 2009
    Checksum : a43d43b2 - correct
    Events : 0

    Rounding : 0K


    Device Role : Active device 0
    Array State : A ('A' == active, '.' == missing, 'R' == replacing)



    root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount/
    mount: /mnt/rawmount: unknown filesystem type 'linux_raid_member'.



    Iv sort of hit a wall at this point as my Linux skills and research has taken me to a dead end?



    If anyone can be arsed to read the above, does anyone have any suggestions of where I am going wrong? Should I convert the E01 to raw DD image instead?










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      OK, so I have a forensic image (E01) of a ZyXel NAS unit (model NSA 310).
      http://il.zyxel.com/es/es/ProductTab.shtml?pid=20110426084939&idx=6&c=es&l=es



      Most standard forensic tools wont recognise the file system on this device, from research it either contains a XFS or EXT4 file system.



      The device is password protected with an unknown password so im unable to access past the web based admin console to view its files. (resetting the devices password back to default with button reset method is not an option as we must preserve the device in its current configuration state)



      The device I believe is RAID 1 configuration (although theres only 1 disk in the NAS)



      I was lead to believe that the only O/S that could read this is Linux, so I have built a small PC with latest Ubuntu installed, along with EWF mount installed etc….



      Please note that im not a Linux expert by any means so its quite likely that the experts will most likely mock some of my attempts below! ;)



      From various research I have attempted the following:



      mkdir /mnt/ewfmount



      ewfmount e01 file /mnt/ewfmount



      cd /mnt/ewfmount



      ls -l - this now shows a file called 'ewf1'



      sfdisk -l -uS ewf1 - this shows the 2 partition layout of the image file.



      Device Boot Start End Sectors Size Id Type



      ewf1p1 63 1028159 1028097 502M 8 AIX



      ewf1p2 1028160 3907024064 3905995905 1.8T 9 AIX bootable



      Do maths byte x sector start (512 x 1028160 etc) to mount beginning of main partition 2 which is the main one im interested in.



      losetup -a (to check what loop device numbers are in use)



      losetup -r -o math result /dev/loop* (whichever number is free) ewf1



      root@Linux:/mnt/ewfmount# losetup -r -o 526417920 /dev/loop26 ewf1



      This shows successful
      /dev/loop26: [0053]:2 (/mnt/ewfmount/ewf1), offset 526417920



      mkdir /mnt/rawmount



      Final stage normally would be the following:
      root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount



      At this point the file system of the mounted E01 should be now available to browse as a flat file system available in Ubuntu…..



      However im presented with the error:
      unknown filesystem type 'linux_raid_member'.



      At this point iv done some quick research and found some comments regarding rebuilding the RAID config on the Linux environment (not something iv done before)



      However the research indicates that I need to have ‘mdadm’ installed.



      sudo apt-get install mdadm – installed completed.



      root@Linux:/mnt/ewfmount# mdadm --assemble --run /dev/loop26



      mdadm: device /dev/loop26 exists but is not an md array.



      root@Linux:/mnt/ewfmount# mdadm --examine /dev/loop26
      /dev/loop26:



            Magic : a92b4efc
      Version : 1.2
      Feature Map : 0x0
      Array UUID : bd8b065d:de4c3d0e:de8fdf3d:edb52ad9
      Name : nsa310:0


      Creation Time : Thu Dec 31 23:59:14 2009
      Raid Level : linear
      Raid Devices : 1



      Avail Dev Size : 3905993857 (1862.52 GiB 1999.87 GB)
      Used Dev Size : 0
      Data Offset : 2048 sectors
      Super Offset : 8 sectors
      Unused Space : before=1968 sectors, after=5103 sectors
      State : clean
      Device UUID : 1d633f6c:d6583d3f:517c120f:b8be4edb



      Update Time : Thu Dec 31 23:59:14 2009
      Checksum : a43d43b2 - correct
      Events : 0

      Rounding : 0K


      Device Role : Active device 0
      Array State : A ('A' == active, '.' == missing, 'R' == replacing)



      root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount/
      mount: /mnt/rawmount: unknown filesystem type 'linux_raid_member'.



      Iv sort of hit a wall at this point as my Linux skills and research has taken me to a dead end?



      If anyone can be arsed to read the above, does anyone have any suggestions of where I am going wrong? Should I convert the E01 to raw DD image instead?










      share|improve this question













      OK, so I have a forensic image (E01) of a ZyXel NAS unit (model NSA 310).
      http://il.zyxel.com/es/es/ProductTab.shtml?pid=20110426084939&idx=6&c=es&l=es



      Most standard forensic tools wont recognise the file system on this device, from research it either contains a XFS or EXT4 file system.



      The device is password protected with an unknown password so im unable to access past the web based admin console to view its files. (resetting the devices password back to default with button reset method is not an option as we must preserve the device in its current configuration state)



      The device I believe is RAID 1 configuration (although theres only 1 disk in the NAS)



      I was lead to believe that the only O/S that could read this is Linux, so I have built a small PC with latest Ubuntu installed, along with EWF mount installed etc….



      Please note that im not a Linux expert by any means so its quite likely that the experts will most likely mock some of my attempts below! ;)



      From various research I have attempted the following:



      mkdir /mnt/ewfmount



      ewfmount e01 file /mnt/ewfmount



      cd /mnt/ewfmount



      ls -l - this now shows a file called 'ewf1'



      sfdisk -l -uS ewf1 - this shows the 2 partition layout of the image file.



      Device Boot Start End Sectors Size Id Type



      ewf1p1 63 1028159 1028097 502M 8 AIX



      ewf1p2 1028160 3907024064 3905995905 1.8T 9 AIX bootable



      Do maths byte x sector start (512 x 1028160 etc) to mount beginning of main partition 2 which is the main one im interested in.



      losetup -a (to check what loop device numbers are in use)



      losetup -r -o math result /dev/loop* (whichever number is free) ewf1



      root@Linux:/mnt/ewfmount# losetup -r -o 526417920 /dev/loop26 ewf1



      This shows successful
      /dev/loop26: [0053]:2 (/mnt/ewfmount/ewf1), offset 526417920



      mkdir /mnt/rawmount



      Final stage normally would be the following:
      root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount



      At this point the file system of the mounted E01 should be now available to browse as a flat file system available in Ubuntu…..



      However im presented with the error:
      unknown filesystem type 'linux_raid_member'.



      At this point iv done some quick research and found some comments regarding rebuilding the RAID config on the Linux environment (not something iv done before)



      However the research indicates that I need to have ‘mdadm’ installed.



      sudo apt-get install mdadm – installed completed.



      root@Linux:/mnt/ewfmount# mdadm --assemble --run /dev/loop26



      mdadm: device /dev/loop26 exists but is not an md array.



      root@Linux:/mnt/ewfmount# mdadm --examine /dev/loop26
      /dev/loop26:



            Magic : a92b4efc
      Version : 1.2
      Feature Map : 0x0
      Array UUID : bd8b065d:de4c3d0e:de8fdf3d:edb52ad9
      Name : nsa310:0


      Creation Time : Thu Dec 31 23:59:14 2009
      Raid Level : linear
      Raid Devices : 1



      Avail Dev Size : 3905993857 (1862.52 GiB 1999.87 GB)
      Used Dev Size : 0
      Data Offset : 2048 sectors
      Super Offset : 8 sectors
      Unused Space : before=1968 sectors, after=5103 sectors
      State : clean
      Device UUID : 1d633f6c:d6583d3f:517c120f:b8be4edb



      Update Time : Thu Dec 31 23:59:14 2009
      Checksum : a43d43b2 - correct
      Events : 0

      Rounding : 0K


      Device Role : Active device 0
      Array State : A ('A' == active, '.' == missing, 'R' == replacing)



      root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount/
      mount: /mnt/rawmount: unknown filesystem type 'linux_raid_member'.



      Iv sort of hit a wall at this point as my Linux skills and research has taken me to a dead end?



      If anyone can be arsed to read the above, does anyone have any suggestions of where I am going wrong? Should I convert the E01 to raw DD image instead?







      raid nas






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 22 at 13:53









      Terry D

      11




      11



























          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1095113%2fmounting-and-exporting-a-single-linux-raid-partition-from-an-e01-in-ubuntu%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1095113%2fmounting-and-exporting-a-single-linux-raid-partition-from-an-e01-in-ubuntu%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Ellipse (mathématiques)

          Quarter-circle Tiles

          Mont Emei