–Here is the contents of the VM la -la /mnt/temp/DECY01-VSRV-SQL1/ dev/sda, not /dev/sda1)? Or the other way around? Maybe the wrong device is used? Or the whole disk instead of a The device ‘/dev/loop0’ doesn’t seem to have a valid NTFS. Or the NTFS boot sector is corrupt (NTFS size is not valid).įailed to mount ‘/dev/loop0’: Invalid argument Or the partition table is corrupt (partition is smaller than NTFS), Or a wrong device is tried to be mounted, HINTS: Either the volume is a RAID/LDM but it wasn’t setup yet, –Here is the output of that mount -t ntfs -o ro,loop,show_sys_files,streams_interface=windows,offset=1048576 /mnt/sql1/ /mnt/decy-vsrv-sql/įailed to read last sector (125825023): Invalid argument To me that means spanned volume across multiple partitions meaning we have to first combined them and then mount them as ntfs. I think the key is that in the command I am running its trying to mount it as ntfs, but the partition is not ntfs, its LVM (logical volume). So I thought I would share…Īlso, keep in mind you can still use the -i AFF with TSK and VMDK images if you don’t need to mount it…īasically same error. I’m sure someone else figured this out, but a google search didn’t come up with anything when I added AFF to the search query (for me at least). Mount -o ro,loop,show_sys_files,streams_interface=windows,offset= /.raw /mount/pointĮx: mount -o ro,loop,show_sys_files,streams_interface=windows,offset=1048576 /mnt/aff/ /mnt/windowsĪnd voila! /mnt/windows now contains the file structure of the VMDK image! “I first discovered I had to add the ‘-i aff’ parameter to get mmls to determine the disk structure of the vmdk file.”Įx: mmls -t dos /mnt/aff/ She talks about downloading the Virtual Disk Development kit, but one item in the post caught my eye: That being said, this post was inspired by Sketchymoose’s post… So this will be short and sweet, but first a couple of caveats:ġ) I have not tested this against split VMDK files yet, but I’m thinking it should work.Ģ) I haven’t even considered testing this against VM snapshot images, but I’m guessing that will not work.ģ) You need to have AFFLIB installed and working I didn’t really want to image the VM and then analyze it, since most of the time I’m using VM’s for testing. Similar to how I’ve done things in the past with E01 files. But we’ll see.Īnyway, I was looking for an easy way to mount VMDK files on my Linux box so I could do forensic analysis on the images. I’m hoping with some “life changes” coming up this year I’ll have the opportunity to write more. I do have some ideas for posts “in the hopper” but I haven’t had a chance to sit down and really work on them. Well it’s been a while since I’ve posted and I apologize for that.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |