I got a Mac image in a form of E01 files, which i fail mount in linux. i currently use the SIFT 3 dist but i use kali also.
The image is from an SSD with a HFS+ fs.
i have tried using tools such as ewfmount, mount_ewf.py, xmount which generated a single file that i should be able to mount with 'mount' and yet i am getting an error that says the partition table is not valid.
while running on the E01 file itself - mmls -i ewf -t mac <myimage> it outputs
Invalid magic value (Mac partition table entry (Sector 1) ffff)
while running 'file' on the image file it outputs
"Macintosh HFS Extended version 4 data (mounted) last mounted by 'HFSJ', created Mon Jun 17 093315 2148, last modified Tue Nov 19 023243 2148, block size 4096, number of blocks 121839616, free blocks 53334222"
lets take for example the ewfmount tool. my syntax is as follows
ewfmount /media/myfirste01file.e01 /media/singleFileDir –> get me a single file name "ewf1"
i then use 'mount as follows mount /media/singleFileDir/ewf1 /media/MountFolderOfFile/
thats the error i get
"wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so"
after all of the above, I did manage to produce (in windows) a full logs file with log2timeline.py from that image.
FTK imager (in windows) managed to mount the image and show me the folders tree and file, but because it is windows i cant export the files or read them.
i've tried FTK imager command line for linux, but it is not helpful since it doesn't have the option of mounting an image like it's counter part in windows.
my ultimate goal is to run the image in Vmware, but the bad partition table keeps me from doing that.
how can i find what wrong in the partition table, and can i fix it without harming the image?
and how FTK imager is able to mount it?
What is the partition layout you see when checking the E01 image ?
Is your image containing a disk image or a partition image only ?
It's a Full Disk image, with one partition ( as it seems through FTK imager, other tools do not show the partition table)
It is probably using Apple core storage, and may even be encrypted. A lot of software, even data recovery software doesn't support core storage volumes yet. Did you actually look at the RAW data to see if it's encrypted?
You may have to connect the image to an actual mac and see if it prompts you to input a password when mounted.
It is probably using Apple core storage, and may even be encrypted. A lot of software, even data recovery software doesn't support core storage volumes yet. Did you actually look at the RAW data to see if it's encrypted?
You may have to connect the image to an actual mac and see if it prompts you to input a password when mounted.
I have looked at the raw data and it doesn't seem encrypted to me (mabye it is, i am not sure)
is there a way i can check a if the image is encrypted beside mounting it on a mac?
and if it is encrypted how is it i managed to extract logs with log2timeline?
It is probably using Apple core storage, and may even be encrypted. A lot of software, even data recovery software doesn't support core storage volumes yet. Did you actually look at the RAW data to see if it's encrypted?
You may have to connect the image to an actual mac and see if it prompts you to input a password when mounted.
I have looked at the raw data and it doesn't seem encrypted to me (mabye it is, i am not sure)
is there a way i can check a if the image is encrypted beside mounting it on a mac?and if it is encrypted how is it i managed to extract logs with log2timeline?
Do we know specifics on the original Hard drive? Model? Capacity? SSD or Hybrid SSHD? Specific model and year of the Mac?
Do we know specifics on the original Hard drive? Model? Capacity? SSD or Hybrid SSHD? Specific model and year of the Mac?
APPLE SSD SMO512F, 500gb capacity, no info beyond that.
i've managed to run MAC OS on a vm and mount the drive, while i run a scan it couldn't scan alot of files (around 50K files) is that a Av problem or could it be that the files are corrupted or encrypted?
either way i'm still trying to figure out why the image mounting in linux doesn't work.
I think there might be an issue with the syntax you are using for the mount. Maybe try something like this? ewfmount -o loop -t hfsplus e01_location mountpoint
I believe GNU/Linux requires certain additional drivers to read the Mac OS file systems, as similar to ntfs-3g for NT file systems. In this instance, hfsprogs package can be installed in Debian/Ubuntu based distributions using the aptitude get to allow the mount command to use the hfsplus type fs in its syntax.
However, I don't know for certain whether SIFT has included this driver in its releases.
Maybe something worth trying?
Hope it helps )
First of all thanks for the help guys,
Even tho it didn't help my situation i learned from your comments some new things.
It failed to mount again, i run 'dmesg | tail' and got
hfsplus invalid secondary volume header
hfsplus unable to find HFS+ superblock
some how the FTK imager on windows manages to get pass this.
I resorted to mounting the img on a mac OS i created in VMware, so i will give it up for now.
Thanks again for all of the help.