sift icon indicating copy to clipboard operation
sift copied to clipboard
verified publisher icon teamdfir

EWFmount Error

Open princedavinci opened this issue 2 years ago • 17 comments

Hi All,

I am struggling to mount E01 images on the sift workstation using ewfmount. I get the below error: Capture I am so confused and not sure whats causing this issue. I using vmware player to run the environment. Any assistance will be highly appreciated.

Thanks.

princedavinci avatar Jun 21 '23 19:06 princedavinci

Your command line looks correct. Try renaming your E01 to remove the space. Also, confirm that /mnt/ewf_mount exists. It should, but check it anyway.

You can also verify the E01 with ewfinfo and ewfverify.

ewfinfo filename.E01 ewfverify filename.E01

mark-hallman avatar Jun 21 '23 19:06 mark-hallman

I have tried with other E01s that dont have spaces and get the same error. I will perform the top two instructions and show output. Thanks for the speedy response.

princedavinci avatar Jun 21 '23 19:06 princedavinci

Hi @mark-hallman please see screenshot below: Capture2

The said images mount perfectly on my WSL2 environment. Thanks

princedavinci avatar Jun 21 '23 19:06 princedavinci

@princedavinci When running the ewf commands in WSL and in the VM, are you using the same image (E01) to test both environments? If so, can you try the following on the image from within the SIFT Workstation:

xxd 002-MEM-DTP.E01 | head
mmls 002-MEM-DTP.E01
ls -lah 002-MEM-DTP.E01

One difference could be how you're accessing the E01 from within the SIFT Workstation. If you have a Shared Folder mapped into the VM, then permissions to access the file might not be propagating through the Shared Folder. The same could be said if the file is accessed through a network share.

You could also try checking the MD5 of the file (not the E01 content hash, but simply the file) from within the SIFT Workstation and within the WSL environment to see if you have the same hash with both, and if you're able to access the E01 properly through both environments. This will help narrow down whether this is an ewftools issue or not.

Cheers

digitalsleuth avatar Jun 21 '23 21:06 digitalsleuth

@digitalsleuth You make a lot of sense as I dragged files across onto the VM while on WSL I used the shared folder. Let try the above and will revert back.

Thanks

princedavinci avatar Jun 22 '23 06:06 princedavinci

Hi @princedavinci , did you ever get this resolved?

digitalsleuth avatar Jul 28 '23 18:07 digitalsleuth

Hi I eventually left it after realising the environment I was working on had too man security issues which in turn affected my access to the EO1 files. Sent from my iPhoneOn 28 Jul 2023, at 20:39, Digital Sleuth @.***> wrote: Hi @princedavinci , did you ever get this resolved?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

princedavinci avatar Jul 28 '23 19:07 princedavinci

Try using a more recent version of ewfmount

joachimmetz avatar Feb 10 '24 09:02 joachimmetz

Hi Joachim

will boot up the machine and try updating.

Thanks.

On Sat, Feb 10, 2024 at 11:52 AM Joachim Metz @.***> wrote:

Try using a more recent version of ewfmount

— Reply to this email directly, view it on GitHub https://github.com/teamdfir/sift/issues/601#issuecomment-1936957148, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKBEW3PRD2IEVL25F3P2MLYS47PBAVCNFSM6AAAAAAZPF2FR6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZWHE2TOMJUHA . You are receiving this because you were mentioned.Message ID: @.***>

princedavinci avatar Feb 12 '24 04:02 princedavinci

will boot up the machine and try updating.

Does SIFT provide a more recent version?

joachimmetz avatar Feb 12 '24 04:02 joachimmetz

I'll be looking into this tomorrow to see where we source and what's available.

ekristen avatar Feb 12 '24 04:02 ekristen

Sounds good, thanks!

On Mon, Feb 12, 2024 at 6:44 AM Erik Kristensen @.***> wrote:

I'll be looking into this tomorrow to see where we source and what's available.

— Reply to this email directly, view it on GitHub https://github.com/teamdfir/sift/issues/601#issuecomment-1938059980, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKBEW4J3HJ2VWONQM4QZKDYTGM4JAVCNFSM6AAAAAAZPF2FR6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZYGA2TSOJYGA . You are receiving this because you were mentioned.Message ID: @.***>

princedavinci avatar Feb 12 '24 05:02 princedavinci

ewfmount comes from the GIFT.

22.04 - ewfmount 20140816 which is the latest from the PPA repository 20.04 - ewfmount 20140812 which is the latest from the PPA repository

ekristen avatar Feb 12 '24 15:02 ekristen

as you can see in the screenshot the reporter runs 20140807

joachimmetz avatar Feb 12 '24 16:02 joachimmetz

20.04 - ewfmount 20140812 which is the latest from the PPA repository

we don't support 20.04 any more, please upgrade to 22.04 and expect us to upgrade to 24.04 once available relatively quickly

joachimmetz avatar Feb 12 '24 16:02 joachimmetz

@joachimmetz understood you don't, but the packages are still available (please do not remove them, if you are I need a heads up so I can clone them)

22.04 is the new base image and we'll support 24.04 as soon as we can but you are 1 of hundreds we have to have support for to effectively make a new base image. Plus it takes time to swap out the major OS in classes.

@princedavinci you should be able to run apt-get upgrade or apt-get update && apt-get install libewf-tools to get the latest available ewfmount version.

ekristen avatar Feb 12 '24 17:02 ekristen

22.04 is the new base image and we'll support 24.04 as soon as we can but you are 1 of hundreds we have to have support for to effectively make a new base image.

Unclear what you mean with "supporting" me in this context? I don't need SIFT to support me, nor have I ever received support from SIFT or SANS for that matter.

This is why for Plaso we strongly recommend using Docker

joachimmetz avatar Feb 12 '24 17:02 joachimmetz