How do I mount with cygfuse bdemount build? #70
Comments
|
Can you provide the offset and data of the unencrypted volume, looks like you sent me the encrypted volume header Also see: https://github.com/libyal/libbde/wiki/Troubleshooting#verbose-and-debug-output |
|
I compiled with the Verbose and debug output, but when I run the commands with -v, there is no output anywhere. |
|
My apologies - I typed the -v command in the wrong place. Attached is the output. output_-k.txt UPDATE: So I realized Volatility only provided half the FVEK. When I provided the entire key the same behavior results - a quick pause and back to the command prompt with nothing mounted. |
|
thanks but you'll need to rebuild the library with the verbose/debug output options otherwise the output is not sufficient detailed also see https://github.com/libyal/libbde/wiki/Building#verbose-and-debug-output also make sure to remove any sensitive data, I'm mostly interested in what is causing the signature check to fail |
It's all test data so there's nothing sensitive. Are the attached logs not sufficient? I'm using the "> filename.txt 2>&1" command. |
they are empty unfortunately, given verbose/debug option has not been compiled |
I re-uploaded, so each should be 80k. |
|
thanks looks better, will try to get taking a closer look soon, but have to deal with another thing first. |
No worries at all. I really appreciate your help! |
|
output_-k.txt output_-p.txt output_-r.txt |
|
Looks like output_-p.txt and output_-r.txt are able to decrypt the volume. Which version of Dokan are you using? |
v2.0.5 |
|
The issue you are encountering might be due to changes in Dokan 2.0 and later, I'll have a look later this week to see if I can add support. If you need it urgently you might be able to make the changes yourself based on libyal/libewf@8abd6a9 |
|
I installed various versions of Dokan and I still can't get the image to mount. Just so I'm clear and not doing anything wrong: When I first ran bdemount.exe, I received error messages stating the following dlls were needed: After these dlls were copied into C:\bdemount, the .exe ran (evidenced by the log files) but the image won't mount regardless of the Dokan version installed (v0.x, v1.x, v2.x). Am I missing/omitting/screwing up a crucial step? |
|
cygfuse is not the same as Dokan, these are 2 different backends how did you compile libbde and bdemount? with Visual Studio (+Dokan) or cygwin (+fuse)? I assume the latter given your file names, but double checking |
Yes, Cygwin (with every module installed). So I need to compile with VS to get it to mount properly? |
bdemount has been known to work with Linux fuse, macosfuse (see: https://github.com/libyal/libbde/wiki/Building#using-gnu-compiler-collection-gcc), and Dokan (pre 2.0) (see: https://github.com/libyal/libbde/wiki/Building#dokan-library) cygwin fuse I would need to look in first and Dokan >= 2.0 you might need to make some tweaks |
|
Some changes for Dokan >= 2.0 in 99cc66b |
|
Many thanks! I will start from scratch and circle back. |
|
just tested with Dokan 1.2 on my system and that is working as intended I'll will give cygfuse and Dokan 2 a test drive when time permits |
Thanks so much! |
|
So cygfuse is different from Linux fuse2 and fuse3. Made some tweaks and got it working on a test set up. To reproduce
Will take a closer look how to unmount, given |
not a nice integration, but looks like killing the bdemount process is a method which appears the same method used by fusermount on cygwin https://github.com/mgeisert/cygfuse/blob/master/source/v3/fusermount#L190 |
|
Note to self format of /var/run/fuse.mounts Something like:
Note that
|
joachimmetz
changed the title
joachimmetz
changed the title
|
After running >bdemount -p (password) P:\image.img X: there is some improvement on my end. The command window "hangs" like it's supposed to, I see "bdemount.exe" in Task Manager but the image still doesn't mount. The last two lines of the error output are: mount_fuse_getattr: / |
|
do you see a file |
Unfortunately no. |
|
did you end up going the cygfuse+winfsp way or Dokan? |
|
nevermind, looks like you went the fuse route (mount_fuse_getattr), given that this is a new backend I don't have many tips for you at the moment |
|
I appreciate your help with all of this. I might just fresh install everything on something other than the Franken-machine I'm using right now to see if that clears up anything. |
Hello,
I used Cygwin (installed all modules) to compile. When I run bdemount.exe in an admin cmd window to mount a BDE volume from a raw image, there is a slight pause but nothing is mounted to the specified drive letter. This occurs when using both the password and recovery options. When I try to use the FVEK option, I get errors:
P:\bdemount>bdeinfo P:\image.raw
bdeinfo 20240223
Volume is locked and a password is needed to unlock it.
Password:
Unable to unlock volume.
BitLocker Drive Encryption information:
Volume identifier : abbda335-f434-420c-b97e-5dc2fac4bf74
Encryption method : AES-XTS 128-bit
Creation time : Mar 21, 2024 17:32:18.237762100 UTC
Description : DESKTOP-B8H4DIM C: 3/21/2024
Number of key protectors : 3
Is locked
Key protector 0:
Identifier : 49941cc7-a594-4ce9-be12-9e8d3007d356
Type : Password
Key protector 1:
Identifier : d76929dc-6ab0-4f9c-bcd2-1be14f2bfca3
Type : Startup key
Key protector 2:
Identifier : c92a358a-291f-42e0-ae44-617fc8f0a426
Type : Recovery password
P:\bdemount>bdemount.exe -p P:\image.raw X:
bdemount 20240223 --> it pauses and I get the command prompt, nothing mounted
P:\bdemount>bdemount.exe -r P:\image.raw X:
bdemount 20240223 --> it pauses and I get the command prompt, nothing mounted
P:\bdemount>bdemount.exe -k P:\image.raw X:
bdemount 20240223
Unable to open source volume
libbde_ntfs_volume_header_read_data: invalid volume system signature.
libbde_io_handle_read_unencrypted_volume_header: unable to read NTFS volume header.
libbde_internal_volume_unlock: unable to read unencrypted volume header.
libbde_internal_volume_open_read: unable to unlock volume.
libbde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open: unable to open volume.
Here are the first 1024 bytes of the volume:
1024 bytes.txt
The text was updated successfully, but these errors were encountered: