I'm struggling to get a EWF Linux Raid image working
Mount fails with
mount wrong fs type, bad option, bad superblock on /dev/md0,
Here are the steps followed
1) Used 'xmount' to disk image as a file
xmount –in ewf –cache ./acquired_disk.cache 1.1.e01 /mnt/raid
2) Used 'losetup' to expose the disk image files as block devices.
losetup 1.1.dd /dev/loop0
3) Used 'mdadm' to reconfigure the block devices as the requisite RAID device
mdadm –assemble –scan
mdadm –create /dev/md0 –level=raid1 –raid-devices=1 /dev/loop0 –force
4) Try to mount Raid disk
root@kali/mnt/raid# mount /dev/md0 /mnt/
mount wrong fs type, bad option, bad superblock on /dev/md0,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so.
MDADMroot@kali/mnt/raid# mdadm --misc --examine /dev/loop0
/dev/loop0
MBR Magic aa55
Partition[0] 33554433 sectors at 2048 (type fd)
Partition[1] 1048577 sectors at 33558528 (type fd)
Partition[2] 419430401 sectors at 34609152 (type fd)
Partition[3] 3452987568 sectors at 454041600 (type 0f)
FDISK
Fdisk - L
[b]Failed to read extended partition table (offset=454041600) Input/output error[/b]
Disk /dev/loop0 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units sectors of 1 * 512 = 512 bytes
Sector size (logical/physical) 512 bytes / 512 bytes
I/O size (minimum/optimal) 512 bytes / 512 bytes
Disklabel type dos
Disk identifier 0x0001c486
Device Boot Start End Sectors Size Id Type
/dev/loop0p1 2048 33556480 33554433 16G fd Linux raid autodetect
/dev/loop0p2 33558528 34607104 1048577 512M fd Linux raid autodetect
/dev/loop0p3 34609152 454039552 419430401 200G fd Linux raid autodetect
/dev/loop0p4 454041600 3907029167 3452987568 1.6T f W95 Ext'd (LBA)
Also tried RAID reconstructor, OSforencics, DMDE, Encase etc
I'm able to run strings, photorec, foremost etc and get some data, but I need some specific mysql databases that are on there
any pointers would be greatly appreciated
Are you trying to reconstruct a linear array from a single drive?
Should read Raid1, sorry about that.
I *assume* that is the RAID-level.
mdadm –create /dev/md0 –level=raid1 –raid-devices=1 /dev/loop0 –force
You didn't specify a partition here, you are using an image of a whole drive instead.
Yes I believe it's just a single disk of RAID1 array.
When I try to mount the partitions or create the array I get the following errors
root@kali/mnt/raid# mdadm --create /dev/md0 --level=raid1 --raid-devices=1 /dev/loop0p2 --force
mdadm cannot open /dev/loop0p2 Device or resource busy
root@kali/mnt/raid# mount /dev/loop0p2 /mnt/raid2
mount unknown filesystem type 'linux_raid_member'
losetup -r -o $((2048*512)) /dev/loop0 1.1.dd
losetup -r -o $((33558528*512)) /dev/loop1 1.1.dd
losetup -r -o $((34609152*512)) /dev/loop2 1.1.dd
losetup -r -o $((454041600*512)) /dev/loop3 1.1.dd
Then quote the output of the following commands
mdadm --examine /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3
file -s /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3
/dev/loop0 Linux Software RAID version 1.2 (1) UUID=b38bc47dc9973cb92076d40ea8e346c1 name=rescue0 level=1 disks=2
/dev/loop1 Linux Software RAID version 1.2 (1) UUID=38399a30ee8a673ffd1ab5ffe8e71f59 name=rescue1 level=1 disks=2
/dev/loop2 Linux Software RAID version 1.2 (1) UUID=e12051e1 8fcd7a4932e64ba9c6e0494 name=rescue2 level=1 disks=2
/dev/loop3 ERROR cannot read `/dev/loop3' (Input/output error)
MDADM hangs, might have to with the fact that I tried mounting with write cache in xmount. Let met retry that
*Update, seems to be because of last partitionmdadm No md superblock detected on /dev/loop0.
mdadm No md superblock detected on /dev/loop1.
mdadm No md superblock detected on /dev/loop2.
/dev/loop0 Linux Software RAID version 1.2 (1) UUID=b38bc47dc9973cb92076d40ea8e346c1 name=rescue0 level=1 disks=2
/dev/loop1 Linux Software RAID version 1.2 (1) UUID=38399a30ee8a673ffd1ab5ffe8e71f59 name=rescue1 level=1 disks=2
/dev/loop2 Linux Software RAID version 1.2 (1) UUID=e12051e1 8fcd7a4932e64ba9c6e0494 name=rescue2 level=1 disks=2
/dev/loop3 ERROR cannot read `/dev/loop3' (Input/output error)
MDADM hangs, might have to with the fact that I tried mounting with write cache in xmount. Let met retry that*Update, seems to be because of last partition
mdadm No md superblock detected on /dev/loop0.
mdadm No md superblock detected on /dev/loop1.
mdadm No md superblock detected on /dev/loop2.
Don't use xmount. Use the commands I provided on a raw image.
—
Well, the output "No md superblock detected on" means you are doing something wrong. Because you got valid superblocks previously.
Thanks so far, I only have an E01.
I will export as RAW but it's gonna take a while
Thanks so far, I only have an E01.
I will export as RAW but it's gonna take a while
You can use ewfmount to mount an E01 image and get a raw image in the mountpoint.