Hi all,
I have a disk image of an ubuntu box in spanned ewf format that I need to mount for analysis and I'm trying to do it without having to DD out the entire LVM volume as a single raw image (its 480GB in size) or write it out to a hard disk.
I've used ewfmount to present the spanned EWF volume as a single RAW disk image.
After running mmls, I've found the LVM offset and used losetup to make the LVM partition /dev/loop0
now when I run pvscan is sees the volume group and shows me the details.
I then ran "vgchange -ay" which which tells me there are 2 lvm voumes in the volume group that are active.
When I check /dev/mapper it contains /dev/mapper/volumegroup-root and /dev/mapper/volumegroup-swap_1
Now, when I try and mount /dev/mapper/volumegroup-root is says "wrong fs type".
I know its ext4 as I can see the folders in FTK imager.
If I had the lvm offsets wrong then pvscan/vgchange etc would not have worked.
Looking at dmesg is says "LBD recovery failed"EXT4-fs error loading journal" and a bunch of "lost page write due to I/O error" entries.
Is the problem here the fact its originally mounted from a read only EWF volume using ewfmount? Its the only thing I can think of.
If anyone has done this or has any ideas, that would be great.
Google hasn't helped much as there no example of someone doing it from an EWF spanned image. That's why I'm assuming that's the problem.
Adam
I got around this by another means
Still interested to know if its possible from a EWF though.
looking once on this page ….
With this tutorial I mounted a hard disk from a nas with ext4 and dynamic disk. I use grml-forensic.
K.W.