CAINE 6.0 To browse directories of an image mounted with FMount

[ordipb]

Hello,

In CAINE 6.0, the utility FMount is perfect to mount a raw image (dd image) of a disk.
The partitions of the disk are automatically mounted under /media/name_of_the_image (and, under this, there are the partitions in name_of_the_image_vol1, etc).
And more, the partitions are put as folder icons on the desk.

But, it's impossible to develop the contain of a partition, to see its directories and files inside.
Even with a terminal ; the ls on the partitions mounted report nothing.

How to view the contain of a partition of the mounted image ?

Thank you in advance for your help.

[nannib]

uh? You launche caja and browse files and directories...you can also "open terminal here" ...maybe I did not understand you.

[ordipb]

Yes, Nannib, with caja we can browse the directories and files of a file system, but not the directories and files of the partitions of an image mounted by FMount.
That's the problem.
Good night for you.

[nannib]

Hi,
I just mounted a raw (dd) image file named PenLab.dd and this is the result (see the attachment)


I used fmount then I open the mounted partition, then I browsed the directories and I opened the terminal.
bye

[ordipb]

Hi again, Nannib.
I did exactly that you did (Fmount), and that you obtain is that I would have. But I have not : the partitions of the image are mounted, but the containt of these partitions is not prompted.
It's very strange.

But, is there perhaps a reason :
The image was created with FTK Imager (under Windows). But stange, because it is a RAW image, not Smart or EO1.
With FTK Imager, I browse the containt of the partitions.

Il shall test creating an image with Guymager. But not today (I am too busy).

Thank you again.

[nannib]

uhmm I think it can be an issue of fmount in live distro, if you try to install caine, from installed version it works.
let me know
bye

[ordipb]

Yesn Nannib, I shall test.
But not quickly (too busy).
I shall do another image, all with CAINE Live CD.
Have a good day.

[ordipb]

Hello Nannib.

I tested the Fmount with the Live CD of CAINE 5.0. In this version, all is OK.

The image is mounted (in /media/name_of_the_ image), and we can browse all directories and files of the image. It's perfect.

So, there is a bug in the 6.0 version of Live CD.

Thank you for your help.

[slo.sleuth]

But, it's impossible to develop the contain of a partition, to see its directories and files inside.
Even with a terminal ; the ls on the partitions mounted report nothing.

How to view the contain of a partition of the mounted image ?

I'm having trouble understanding the question.  Are you saying that you can mount a raw disk image, meaning a disk with a Master Boot Record, Partition Table, and partitions, but you cannot mount just a partition image (no MBR or partition table) with fmount?

[ordipb]

Hello Slo.Sleuth.

It was the image of a disk, with master boot record, partition table and all the partitions. and not an image of only a partition.
But, with the image of an USB Key, the problem was the same.

And this problem does not exists in CAINE 5.0 Live CD.

Have a good evening.

[slo.sleuth]

OK, I think I understand. I'm checking the Live disk to see if I can determine the problem.

[slo.sleuth]

From Caine 6.0 Live boot disk:

Create test image:

Code:

$ dd if=/dev/zero of=test.dd bs=1024 count=10000
10000+0 records in
10000+0 records out
10240000 bytes (10 MB) copied, 0,0107229 s, 955 MB/s
$ $ fdisk test.dd
GNU Fdisk 1.2.5
Using /home/caine/test.dd
Command (m for help): n
Partition type                                                            
   e   extended
   p   primary partition (1-4)
p
First cylinder  (default 0cyl):                                          
Last cylinder or +size or +sizeMB or +sizeKB  (default 14cyl):            
Command (m for help): w                                                  

Writing all changes to /home/caine/test.dd.
$ fdisk -lu test.dd
Disk /home/caine/test.dd: 0 MB, 983040 bytes
4 heads, 32 sectors/track, 15 cylinders, total 1920 sectors
Units = sectors of 1 * 512 = 512 bytes

              Device Boot      Start         End      Blocks   Id  System
/home/caine/test.dd1              32        1919         944   83  Linux
$ $ sudo kpartx -av test.dd
add map loop1p1 (252:0): 0 1888 linear /dev/loop1 32
$ sudo mkfs.ext2 /dev/mapper/loop1p1
mke2fs 1.42.9 (4-Feb-2014)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
120 inodes, 944 blocks
47 blocks (4.98%) reserved for the super user
First data block=1
Maximum filesystem blocks=1048576
1 block group
8192 blocks per group, 8192 fragments per group
120 inodes per group

Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done
$ sudo mount /dev/mapper/loop1p1 /mnt
$ sudo cp -ar Desktop/ /mnt
$ ls -Ra /mnt
/mnt:
.  ..  Desktop

/mnt/Desktop:
.                   Caja (root).desktop  Keyboard Changer.desktop
..                  firefox.desktop      mozo-made.desktop
CAINE Info.desktop  Guymager.desktop     Systemback (installer).desktop
$ sudo umount /mnt
$ sudo kpartx -rv test.dd
loop1p1 : 0 1888 /dev/loop1 32


Now we have a test image, formated with an ext2 partition, that has a 'Desktop' directory with seven files. We can confirm with sleuthkit:

Code:


$ mmls test.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000000031   0000000032   Unallocated
02:  00:00   0000000032   0000001919   0000001888   Linux (0x83)
03:  -----   0000001920   0000001999   0000000080   Unallocated
$ fls -o32 test.dd -r
d/d 11: Desktop
+ r/r 17: CAINE Info.desktop
+ r/r 25: Caja (root).desktop
+ r/r 31: Guymager.desktop
+ r/r 32: Keyboard Changer.desktop
+ r/r 33: Systemback (installer).desktop
+ r/r 34: firefox.desktop
+ r/r 35: mozo-made.desktop
d/d 121: $OrphanFiles
$


We can mount the image the with the mount command and see the file system:

Code:


$ sudo mount -o ro,loop,offset=$((32*512)) test.dd /mnt
$ mount | grep test.dd
/home/caine/test.dd on /mnt type ext2 (ro)
$ find /mnt
/mnt
/mnt/Desktop
/mnt/Desktop/Systemback (installer).desktop
/mnt/Desktop/mozo-made.desktop
/mnt/Desktop/Guymager.desktop
/mnt/Desktop/Keyboard Changer.desktop
/mnt/Desktop/CAINE Info.desktop
/mnt/Desktop/firefox.desktop
/mnt/Desktop/Caja (root).desktop
$ sudo umount /mnt
$


Fmount appears to mount successfully, but fails:

Code:


$ sudo fmount.sh test.dd
Linux file system detected in volume 2 at sector offset 32
 mounted at /media/test/test_vol2/ with "mount" command
$ mount | grep test.dd
/home/caine/test.dd on /media/test/test_vol2 type ext2 (ro)
$ find /media/test/test_vol2/
/media/test/test_vol2/
$


ordipd, is this the problem you are reporting?

[slo.sleuth]

I have found the problem.  It is not an issue with fmount.  The problem comes from a mount point in the /media folder more than two folders deep from the root.  If you mount to /media/test, you will succeed in mounting and be able to traverse the image.  If, however, you mount to /media/test/test, such as occurs with fmount, the mount operation appears to succeed, but in fact does not.  A loop device is created, as is a desktop shortcut, but there is no connection to the data.  You can see evidence of this from a 'umount' operation on the mount point: you will receive error "not mounted" and the loop device and desktop shortcut that were created during the mount operation cannot be destroyed.

I do not know at this point if the problem is unique to Caine 6.0 or is a flaw in Ubuntu 14.04 on which Caine is built.  I suspect it is Caine since Ubuntu now follows a /media/user/mountpoint schema (three directories deep from the root), but I do know know what Caine modification causes the issue.

As a temporary fix, you can change line 160 in /usr/local/bin/fmount.sh from:

Code:


MNTPNT="/media/$DIR_NAME/${DIR_NAME}_vol$VOLUME/"


to:

Code:


MNTPNT="/mnt/${DIR_NAME}_vol$VOLUME/"


After that modification, fmount works as expected:

Code:


$ sudo fmount.sh test.dd
Linux file system detected in volume 2 at sector offset 32
        mounted at /media/test_vol2/ with "mount" command
$ find /media/test_vol2
/media/test_vol2
/media/test_vol2/Desktop
/media/test_vol2/Desktop/Systemback (installer).desktop
/media/test_vol2/Desktop/mozo-made.desktop
/media/test_vol2/Desktop/Guymager.desktop
/media/test_vol2/Desktop/Keyboard Changer.desktop
/media/test_vol2/Desktop/CAINE Info.desktop
/media/test_vol2/Desktop/firefox.desktop
/media/test_vol2/Desktop/Caja (root).desktop


I hope this helps.

[ordipb]

OK slo.sleuth. You are true.

In CAINE 6.0, we have this :
For an Image named MyImage, Fmount creates this : "/media/MyImage/MyImage_vol2" (Why this _vol2 ? , mysterious).
And, MyImage_vol2 is an empty directory.
And it's impossible to unmount the image, because (as you say) it is not really mounted. And it is also impossible to unmount the devise where is the image file (.dd), because this device is busy

In CAINE 5.0, for the same, Fmount creates "/media/MyImage" only, and whe have in this mounting point /media/MyImage all the partitions, and inside all the directories, and inside again all the files of the directories.
And it is possible to unmount the image, using the "Safe-devices mount READ-ONLY" (green shortcut), selecting the /dev/loop1, and after to unmount the device itself (not busy now)

So, I leave 6.0 and I choose 5.0

Thank you for your research.

[nannib]

Ok, I remember the problem, If you use fmount in Caine 5.0 it is not the real fmount, because it was modified for solving the problem you got!
It can mount only single partition, if you have a disk image of a disk with many partitions you'll mount only one...
The real fmount is in Caine 6.0, if you apply the changes those slo.sleuth suggested, you'll solve the issue....you can remake the ISO using systemback with your fmount patched, if you need
In any case, I remember there is not that problem if you use fmount from the installed Caine, it appears only in the live version, I don't think you need so much fmount in a live operation...I guess
bye

[ordipb]

OK Nannib. I understand now that using 5.0 is not the solution.

I did the modification suggested by slo.sleuth. With this, Fmount works perfectly.

You say that I could remake the ISO using systemback with the fmount patched.
But I don't know how to do. I looked at systemback, but I did'nt find how to do a new ISO image of the system with it.
Can you help me to do this ?

Thank you in advance.

[slo.sleuth]

For an Image named MyImage, Fmount creates this : "/media/MyImage/MyImage_vol2"  (Why this _vol2 ? , mysterious).
And, MyImage_vol2 is an empty directory.

The reason you see "vol2" is because fmount uses the sleuthkit mmls command to read the partition table.  I'll demonstrate below:

Code:

$ mmls test.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000000031   0000000032   Unallocated
02:  00:00   0000000032   0000001919   0000001888   Linux (0x83)
03:  -----   0000001920   0000001999   0000000080   Unallocated
$

Sleuthkit uses a broad understanding of "volumes" to mean contiguous runs of sectors formatted for the same purpose.  Above, vol0 is the partition table, vol1 is the first unallocated group of sectors, and vol2 is the formatted ext2 partition, etc.  If you were to run sleuthkit autotools like tsk_loaddb, you would find the volumes take on the same numbering scheme.  fmount attempts to be consistent with sleuthkit.

[nannib]

Ok here is the latest release of fmount, I just tested it from my live Caine 6.0 in virtualbox and it works (the last did not work in the same virtualmachine).

CLICK HERE to download

You can test running CAINE 6.0 live and changing the /usr/local/bin/fmount.sh and /usr/share/caine/pacchetti/scripts/linuxsleuthing/miscellaneous/fmount.sh with THIS and let us know.
Then if you want to rebuild Caine 6.0, you have first Install it (see the point 3 here: http://www.caine-live.net/page8/page8.html) then clicking on SYSTEMBACK you can choose the LIVE distro option (there are many guide on google how to make a live with systemback).

Ok...that's all for now...let us know your results
Thanks for the feedbacks.

[ordipb]

Hello Nannib.

The results are good, with 6.0 Live CD.

The new fmount.sh, copied in the to directories /usr/local/bin and /usr/share/caine/pacchetti/scripts/linuxsleuthing/miscellaneous/fmount.sh, runs perfectly. The image is mounted, and I see all directories and files of the image. The image appears as a shortcut on the desk. With a right click on it, I can unmount it. All is OK.

Thank you.

Later, I shall install CAINE 6.0 on a virtual machine with Virtual Box (but, not soon).

Have a good sunday.

[ordipb]

Hello Nannib.

I come back to you because I installed CAINE with Systemback.

The installation was successfull, and the installed Caine6 runs perfectly.
But I encountered a problem : impossible to define the swap.

In the window Partition setting, I would define the swap in sda2. After definition of its size, I would choose the mounting point Swap, which is in the list of the mounting points. But, choosing it, the choise is not kept.

I defined my /home in sda2, and I reserved enough space (free) for the swap.

How to define the swap ?

Thank you in advance for your help.

[nannib]

Hi,
did you read here?
http://www.caine-live.net/page8/page8.html
Point 3.
bye

[ordipb]

Sorry, Nannib, I did not read previously.
I thaught wrongly that a swap partition was necessary.
I know now that it is not.
Sorry again.

[ordipb]

Nannib, I confirm (as you know yet) that the original fmount.sh (with MNTPNT="/media/$DIR_NAME/${DIR_NAME}_vol$VOLUME/") runs perfectly in the installed CAINE 6.
The new one (with MNTPNT="/media/${DIR_NAME}_vol$VOLUME/") runs also in the installed CAINE 6, as with the Live CD.
Is strange that the original fmount.sh don't run with Live CD when it runs in installed CAINE.

Now, I shall try to do an iso image of the system for another Live CD (with the new fmount.sh).

[nannib]

Ok, good luck

[ordipb]

Hello Nannib.

I created an iso image of the installed CAINE with Systemback, without problem.
I was guided for this by http://ubuntu-tutorial.com/how-to-create-live-system-iso-using-systemback/

I wrote the iso image on a DVD, and this one is directly bootable.

I shall do a topic about this.

About installation of caine as a virtual machine with Virtual Box, I had some problems to install guest additions in Caine.
Do you think it would be interesting that I did a topic about this : what to do if the automatic installation of guest additions does not run.

Have a good evening.

[Sponsored content]