Mounting and exporting a single linux raid partition from an E01 in Ubuntu
up vote
0
down vote
favorite
OK, so I have a forensic image (E01) of a ZyXel NAS unit (model NSA 310).
http://il.zyxel.com/es/es/ProductTab.shtml?pid=20110426084939&idx=6&c=es&l=es
Most standard forensic tools wont recognise the file system on this device, from research it either contains a XFS or EXT4 file system.
The device is password protected with an unknown password so im unable to access past the web based admin console to view its files. (resetting the devices password back to default with button reset method is not an option as we must preserve the device in its current configuration state)
The device I believe is RAID 1 configuration (although theres only 1 disk in the NAS)
I was lead to believe that the only O/S that could read this is Linux, so I have built a small PC with latest Ubuntu installed, along with EWF mount installed etc….
Please note that im not a Linux expert by any means so its quite likely that the experts will most likely mock some of my attempts below! ;)
From various research I have attempted the following:
mkdir /mnt/ewfmount
ewfmount e01 file /mnt/ewfmount
cd /mnt/ewfmount
ls -l - this now shows a file called 'ewf1'
sfdisk -l -uS ewf1 - this shows the 2 partition layout of the image file.
Device Boot Start End Sectors Size Id Type
ewf1p1 63 1028159 1028097 502M 8 AIX
ewf1p2 1028160 3907024064 3905995905 1.8T 9 AIX bootable
Do maths byte x sector start (512 x 1028160 etc) to mount beginning of main partition 2 which is the main one im interested in.
losetup -a (to check what loop device numbers are in use)
losetup -r -o math result /dev/loop* (whichever number is free) ewf1
root@Linux:/mnt/ewfmount# losetup -r -o 526417920 /dev/loop26 ewf1
This shows successful
/dev/loop26: [0053]:2 (/mnt/ewfmount/ewf1), offset 526417920
mkdir /mnt/rawmount
Final stage normally would be the following:
root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount
At this point the file system of the mounted E01 should be now available to browse as a flat file system available in Ubuntu…..
However im presented with the error:
unknown filesystem type 'linux_raid_member'.
At this point iv done some quick research and found some comments regarding rebuilding the RAID config on the Linux environment (not something iv done before)
However the research indicates that I need to have ‘mdadm’ installed.
sudo apt-get install mdadm – installed completed.
root@Linux:/mnt/ewfmount# mdadm --assemble --run /dev/loop26
mdadm: device /dev/loop26 exists but is not an md array.
root@Linux:/mnt/ewfmount# mdadm --examine /dev/loop26
/dev/loop26:
Magic : a92b4efc
Version : 1.2
Feature Map : 0x0
Array UUID : bd8b065d:de4c3d0e:de8fdf3d:edb52ad9
Name : nsa310:0
Creation Time : Thu Dec 31 23:59:14 2009
Raid Level : linear
Raid Devices : 1
Avail Dev Size : 3905993857 (1862.52 GiB 1999.87 GB)
Used Dev Size : 0
Data Offset : 2048 sectors
Super Offset : 8 sectors
Unused Space : before=1968 sectors, after=5103 sectors
State : clean
Device UUID : 1d633f6c:d6583d3f:517c120f:b8be4edb
Update Time : Thu Dec 31 23:59:14 2009
Checksum : a43d43b2 - correct
Events : 0
Rounding : 0K
Device Role : Active device 0
Array State : A ('A' == active, '.' == missing, 'R' == replacing)
root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount/
mount: /mnt/rawmount: unknown filesystem type 'linux_raid_member'.
Iv sort of hit a wall at this point as my Linux skills and research has taken me to a dead end?
If anyone can be arsed to read the above, does anyone have any suggestions of where I am going wrong? Should I convert the E01 to raw DD image instead?
raid nas
add a comment |
up vote
0
down vote
favorite
OK, so I have a forensic image (E01) of a ZyXel NAS unit (model NSA 310).
http://il.zyxel.com/es/es/ProductTab.shtml?pid=20110426084939&idx=6&c=es&l=es
Most standard forensic tools wont recognise the file system on this device, from research it either contains a XFS or EXT4 file system.
The device is password protected with an unknown password so im unable to access past the web based admin console to view its files. (resetting the devices password back to default with button reset method is not an option as we must preserve the device in its current configuration state)
The device I believe is RAID 1 configuration (although theres only 1 disk in the NAS)
I was lead to believe that the only O/S that could read this is Linux, so I have built a small PC with latest Ubuntu installed, along with EWF mount installed etc….
Please note that im not a Linux expert by any means so its quite likely that the experts will most likely mock some of my attempts below! ;)
From various research I have attempted the following:
mkdir /mnt/ewfmount
ewfmount e01 file /mnt/ewfmount
cd /mnt/ewfmount
ls -l - this now shows a file called 'ewf1'
sfdisk -l -uS ewf1 - this shows the 2 partition layout of the image file.
Device Boot Start End Sectors Size Id Type
ewf1p1 63 1028159 1028097 502M 8 AIX
ewf1p2 1028160 3907024064 3905995905 1.8T 9 AIX bootable
Do maths byte x sector start (512 x 1028160 etc) to mount beginning of main partition 2 which is the main one im interested in.
losetup -a (to check what loop device numbers are in use)
losetup -r -o math result /dev/loop* (whichever number is free) ewf1
root@Linux:/mnt/ewfmount# losetup -r -o 526417920 /dev/loop26 ewf1
This shows successful
/dev/loop26: [0053]:2 (/mnt/ewfmount/ewf1), offset 526417920
mkdir /mnt/rawmount
Final stage normally would be the following:
root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount
At this point the file system of the mounted E01 should be now available to browse as a flat file system available in Ubuntu…..
However im presented with the error:
unknown filesystem type 'linux_raid_member'.
At this point iv done some quick research and found some comments regarding rebuilding the RAID config on the Linux environment (not something iv done before)
However the research indicates that I need to have ‘mdadm’ installed.
sudo apt-get install mdadm – installed completed.
root@Linux:/mnt/ewfmount# mdadm --assemble --run /dev/loop26
mdadm: device /dev/loop26 exists but is not an md array.
root@Linux:/mnt/ewfmount# mdadm --examine /dev/loop26
/dev/loop26:
Magic : a92b4efc
Version : 1.2
Feature Map : 0x0
Array UUID : bd8b065d:de4c3d0e:de8fdf3d:edb52ad9
Name : nsa310:0
Creation Time : Thu Dec 31 23:59:14 2009
Raid Level : linear
Raid Devices : 1
Avail Dev Size : 3905993857 (1862.52 GiB 1999.87 GB)
Used Dev Size : 0
Data Offset : 2048 sectors
Super Offset : 8 sectors
Unused Space : before=1968 sectors, after=5103 sectors
State : clean
Device UUID : 1d633f6c:d6583d3f:517c120f:b8be4edb
Update Time : Thu Dec 31 23:59:14 2009
Checksum : a43d43b2 - correct
Events : 0
Rounding : 0K
Device Role : Active device 0
Array State : A ('A' == active, '.' == missing, 'R' == replacing)
root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount/
mount: /mnt/rawmount: unknown filesystem type 'linux_raid_member'.
Iv sort of hit a wall at this point as my Linux skills and research has taken me to a dead end?
If anyone can be arsed to read the above, does anyone have any suggestions of where I am going wrong? Should I convert the E01 to raw DD image instead?
raid nas
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
OK, so I have a forensic image (E01) of a ZyXel NAS unit (model NSA 310).
http://il.zyxel.com/es/es/ProductTab.shtml?pid=20110426084939&idx=6&c=es&l=es
Most standard forensic tools wont recognise the file system on this device, from research it either contains a XFS or EXT4 file system.
The device is password protected with an unknown password so im unable to access past the web based admin console to view its files. (resetting the devices password back to default with button reset method is not an option as we must preserve the device in its current configuration state)
The device I believe is RAID 1 configuration (although theres only 1 disk in the NAS)
I was lead to believe that the only O/S that could read this is Linux, so I have built a small PC with latest Ubuntu installed, along with EWF mount installed etc….
Please note that im not a Linux expert by any means so its quite likely that the experts will most likely mock some of my attempts below! ;)
From various research I have attempted the following:
mkdir /mnt/ewfmount
ewfmount e01 file /mnt/ewfmount
cd /mnt/ewfmount
ls -l - this now shows a file called 'ewf1'
sfdisk -l -uS ewf1 - this shows the 2 partition layout of the image file.
Device Boot Start End Sectors Size Id Type
ewf1p1 63 1028159 1028097 502M 8 AIX
ewf1p2 1028160 3907024064 3905995905 1.8T 9 AIX bootable
Do maths byte x sector start (512 x 1028160 etc) to mount beginning of main partition 2 which is the main one im interested in.
losetup -a (to check what loop device numbers are in use)
losetup -r -o math result /dev/loop* (whichever number is free) ewf1
root@Linux:/mnt/ewfmount# losetup -r -o 526417920 /dev/loop26 ewf1
This shows successful
/dev/loop26: [0053]:2 (/mnt/ewfmount/ewf1), offset 526417920
mkdir /mnt/rawmount
Final stage normally would be the following:
root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount
At this point the file system of the mounted E01 should be now available to browse as a flat file system available in Ubuntu…..
However im presented with the error:
unknown filesystem type 'linux_raid_member'.
At this point iv done some quick research and found some comments regarding rebuilding the RAID config on the Linux environment (not something iv done before)
However the research indicates that I need to have ‘mdadm’ installed.
sudo apt-get install mdadm – installed completed.
root@Linux:/mnt/ewfmount# mdadm --assemble --run /dev/loop26
mdadm: device /dev/loop26 exists but is not an md array.
root@Linux:/mnt/ewfmount# mdadm --examine /dev/loop26
/dev/loop26:
Magic : a92b4efc
Version : 1.2
Feature Map : 0x0
Array UUID : bd8b065d:de4c3d0e:de8fdf3d:edb52ad9
Name : nsa310:0
Creation Time : Thu Dec 31 23:59:14 2009
Raid Level : linear
Raid Devices : 1
Avail Dev Size : 3905993857 (1862.52 GiB 1999.87 GB)
Used Dev Size : 0
Data Offset : 2048 sectors
Super Offset : 8 sectors
Unused Space : before=1968 sectors, after=5103 sectors
State : clean
Device UUID : 1d633f6c:d6583d3f:517c120f:b8be4edb
Update Time : Thu Dec 31 23:59:14 2009
Checksum : a43d43b2 - correct
Events : 0
Rounding : 0K
Device Role : Active device 0
Array State : A ('A' == active, '.' == missing, 'R' == replacing)
root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount/
mount: /mnt/rawmount: unknown filesystem type 'linux_raid_member'.
Iv sort of hit a wall at this point as my Linux skills and research has taken me to a dead end?
If anyone can be arsed to read the above, does anyone have any suggestions of where I am going wrong? Should I convert the E01 to raw DD image instead?
raid nas
OK, so I have a forensic image (E01) of a ZyXel NAS unit (model NSA 310).
http://il.zyxel.com/es/es/ProductTab.shtml?pid=20110426084939&idx=6&c=es&l=es
Most standard forensic tools wont recognise the file system on this device, from research it either contains a XFS or EXT4 file system.
The device is password protected with an unknown password so im unable to access past the web based admin console to view its files. (resetting the devices password back to default with button reset method is not an option as we must preserve the device in its current configuration state)
The device I believe is RAID 1 configuration (although theres only 1 disk in the NAS)
I was lead to believe that the only O/S that could read this is Linux, so I have built a small PC with latest Ubuntu installed, along with EWF mount installed etc….
Please note that im not a Linux expert by any means so its quite likely that the experts will most likely mock some of my attempts below! ;)
From various research I have attempted the following:
mkdir /mnt/ewfmount
ewfmount e01 file /mnt/ewfmount
cd /mnt/ewfmount
ls -l - this now shows a file called 'ewf1'
sfdisk -l -uS ewf1 - this shows the 2 partition layout of the image file.
Device Boot Start End Sectors Size Id Type
ewf1p1 63 1028159 1028097 502M 8 AIX
ewf1p2 1028160 3907024064 3905995905 1.8T 9 AIX bootable
Do maths byte x sector start (512 x 1028160 etc) to mount beginning of main partition 2 which is the main one im interested in.
losetup -a (to check what loop device numbers are in use)
losetup -r -o math result /dev/loop* (whichever number is free) ewf1
root@Linux:/mnt/ewfmount# losetup -r -o 526417920 /dev/loop26 ewf1
This shows successful
/dev/loop26: [0053]:2 (/mnt/ewfmount/ewf1), offset 526417920
mkdir /mnt/rawmount
Final stage normally would be the following:
root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount
At this point the file system of the mounted E01 should be now available to browse as a flat file system available in Ubuntu…..
However im presented with the error:
unknown filesystem type 'linux_raid_member'.
At this point iv done some quick research and found some comments regarding rebuilding the RAID config on the Linux environment (not something iv done before)
However the research indicates that I need to have ‘mdadm’ installed.
sudo apt-get install mdadm – installed completed.
root@Linux:/mnt/ewfmount# mdadm --assemble --run /dev/loop26
mdadm: device /dev/loop26 exists but is not an md array.
root@Linux:/mnt/ewfmount# mdadm --examine /dev/loop26
/dev/loop26:
Magic : a92b4efc
Version : 1.2
Feature Map : 0x0
Array UUID : bd8b065d:de4c3d0e:de8fdf3d:edb52ad9
Name : nsa310:0
Creation Time : Thu Dec 31 23:59:14 2009
Raid Level : linear
Raid Devices : 1
Avail Dev Size : 3905993857 (1862.52 GiB 1999.87 GB)
Used Dev Size : 0
Data Offset : 2048 sectors
Super Offset : 8 sectors
Unused Space : before=1968 sectors, after=5103 sectors
State : clean
Device UUID : 1d633f6c:d6583d3f:517c120f:b8be4edb
Update Time : Thu Dec 31 23:59:14 2009
Checksum : a43d43b2 - correct
Events : 0
Rounding : 0K
Device Role : Active device 0
Array State : A ('A' == active, '.' == missing, 'R' == replacing)
root@Linux:/mnt/ewfmount# mount -o noexec,nodev,ro /dev/loop26 /mnt/rawmount/
mount: /mnt/rawmount: unknown filesystem type 'linux_raid_member'.
Iv sort of hit a wall at this point as my Linux skills and research has taken me to a dead end?
If anyone can be arsed to read the above, does anyone have any suggestions of where I am going wrong? Should I convert the E01 to raw DD image instead?
raid nas
raid nas
asked Nov 22 at 13:53
Terry D
11
11
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1095113%2fmounting-and-exporting-a-single-linux-raid-partition-from-an-e01-in-ubuntu%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown