Linux Raid Reconstr...
 
Notifications
Clear all

Linux Raid Reconstruction

19 Posts
2 Users
0 Reactions
6,057 Views
(@om602)
Active Member
Joined: 8 years ago
Posts: 14
Topic starter  

I'm struggling to get a EWF Linux Raid image working
Mount fails with
mount wrong fs type, bad option, bad superblock on /dev/md0,

Here are the steps followed

1) Used 'xmount' to disk image as a file

xmount –in ewf –cache ./acquired_disk.cache 1.1.e01 /mnt/raid

2) Used 'losetup' to expose the disk image files as block devices.

losetup 1.1.dd /dev/loop0

3) Used 'mdadm' to reconfigure the block devices as the requisite RAID device
mdadm –assemble –scan

mdadm –create /dev/md0 –level=raid1 –raid-devices=1 /dev/loop0 –force

4) Try to mount Raid disk

root@kali/mnt/raid# mount /dev/md0 /mnt/
mount wrong fs type, bad option, bad superblock on /dev/md0,
missing codepage or helper program, or other error

In some cases useful info is found in syslog - try
dmesg | tail or so.

MDADM
root@kali/mnt/raid# mdadm --misc --examine /dev/loop0
/dev/loop0
MBR Magic aa55
Partition[0] 33554433 sectors at 2048 (type fd)
Partition[1] 1048577 sectors at 33558528 (type fd)
Partition[2] 419430401 sectors at 34609152 (type fd)
Partition[3] 3452987568 sectors at 454041600 (type 0f)

FDISK

Fdisk - L
[b]Failed to read extended partition table (offset=454041600) Input/output error[/b]
Disk /dev/loop0 1.8 TiB, 2000398934016 bytes, 3907029168 sectors
Units sectors of 1 * 512 = 512 bytes
Sector size (logical/physical) 512 bytes / 512 bytes
I/O size (minimum/optimal) 512 bytes / 512 bytes
Disklabel type dos
Disk identifier 0x0001c486

Device Boot Start End Sectors Size Id Type
/dev/loop0p1 2048 33556480 33554433 16G fd Linux raid autodetect
/dev/loop0p2 33558528 34607104 1048577 512M fd Linux raid autodetect
/dev/loop0p3 34609152 454039552 419430401 200G fd Linux raid autodetect
/dev/loop0p4 454041600 3907029167 3452987568 1.6T f W95 Ext'd (LBA)

Also tried RAID reconstructor, OSforencics, DMDE, Encase etc
I'm able to run strings, photorec, foremost etc and get some data, but I need some specific mysql databases that are on there

any pointers would be greatly appreciated


   
Quote
(@thefuf)
Reputable Member
Joined: 16 years ago
Posts: 262
 

Are you trying to reconstruct a linear array from a single drive?


   
ReplyQuote
(@om602)
Active Member
Joined: 8 years ago
Posts: 14
Topic starter  

Should read Raid1, sorry about that.
I *assume* that is the RAID-level.


   
ReplyQuote
(@thefuf)
Reputable Member
Joined: 16 years ago
Posts: 262
 

mdadm –create /dev/md0 –level=raid1 –raid-devices=1 /dev/loop0 –force

You didn't specify a partition here, you are using an image of a whole drive instead.


   
ReplyQuote
(@om602)
Active Member
Joined: 8 years ago
Posts: 14
Topic starter  

Yes I believe it's just a single disk of RAID1 array.
When I try to mount the partitions or create the array I get the following errors

root@kali/mnt/raid# mdadm --create /dev/md0 --level=raid1 --raid-devices=1 /dev/loop0p2 --force
mdadm cannot open /dev/loop0p2 Device or resource busy
root@kali/mnt/raid# mount /dev/loop0p2 /mnt/raid2
mount unknown filesystem type 'linux_raid_member'


   
ReplyQuote
(@thefuf)
Reputable Member
Joined: 16 years ago
Posts: 262
 


losetup -r -o $((2048*512)) /dev/loop0 1.1.dd
losetup -r -o $((33558528*512)) /dev/loop1 1.1.dd
losetup -r -o $((34609152*512)) /dev/loop2 1.1.dd
losetup -r -o $((454041600*512)) /dev/loop3 1.1.dd

Then quote the output of the following commands

mdadm --examine /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3
file -s /dev/loop0 /dev/loop1 /dev/loop2 /dev/loop3


   
ReplyQuote
(@om602)
Active Member
Joined: 8 years ago
Posts: 14
Topic starter  

/dev/loop0 Linux Software RAID version 1.2 (1) UUID=b38bc47dc9973cb92076d40ea8e346c1 name=rescue0 level=1 disks=2
/dev/loop1 Linux Software RAID version 1.2 (1) UUID=38399a30ee8a673ffd1ab5ffe8e71f59 name=rescue1 level=1 disks=2
/dev/loop2 Linux Software RAID version 1.2 (1) UUID=e12051e1 8fcd7a4932e64ba9c6e0494 name=rescue2 level=1 disks=2
/dev/loop3 ERROR cannot read `/dev/loop3' (Input/output error)

MDADM hangs, might have to with the fact that I tried mounting with write cache in xmount. Let met retry that

*Update, seems to be because of last partition
mdadm No md superblock detected on /dev/loop0.
mdadm No md superblock detected on /dev/loop1.
mdadm No md superblock detected on /dev/loop2.


   
ReplyQuote
(@thefuf)
Reputable Member
Joined: 16 years ago
Posts: 262
 

/dev/loop0 Linux Software RAID version 1.2 (1) UUID=b38bc47dc9973cb92076d40ea8e346c1 name=rescue0 level=1 disks=2
/dev/loop1 Linux Software RAID version 1.2 (1) UUID=38399a30ee8a673ffd1ab5ffe8e71f59 name=rescue1 level=1 disks=2
/dev/loop2 Linux Software RAID version 1.2 (1) UUID=e12051e1 8fcd7a4932e64ba9c6e0494 name=rescue2 level=1 disks=2
/dev/loop3 ERROR cannot read `/dev/loop3' (Input/output error)

MDADM hangs, might have to with the fact that I tried mounting with write cache in xmount. Let met retry that

*Update, seems to be because of last partition
mdadm No md superblock detected on /dev/loop0.
mdadm No md superblock detected on /dev/loop1.
mdadm No md superblock detected on /dev/loop2.

Don't use xmount. Use the commands I provided on a raw image.

Well, the output "No md superblock detected on" means you are doing something wrong. Because you got valid superblocks previously.


   
ReplyQuote
(@om602)
Active Member
Joined: 8 years ago
Posts: 14
Topic starter  

Thanks so far, I only have an E01.
I will export as RAW but it's gonna take a while


   
ReplyQuote
(@thefuf)
Reputable Member
Joined: 16 years ago
Posts: 262
 

Thanks so far, I only have an E01.
I will export as RAW but it's gonna take a while

You can use ewfmount to mount an E01 image and get a raw image in the mountpoint.


   
ReplyQuote
Page 1 / 2
Share: