-
Notifications
You must be signed in to change notification settings - Fork 7
Mounting
To mount an Extended File System (ext) volume you can use fsextmount.
There is support for the following back-ends:
- Dokan library
- fuse
- OSXFuse
To build fsextmount see Building.
To mount an ext volume you can either:
- mount it directly from a device file;
- mount it directly our of a RAW storage media image at a certain offset.
To mount directly from a device file:
fsextmount /dev/sda2 /mnt/fuse
To mount directly our of a RAW storage media image at a certain offset:
fsextmount -o 524288 image.raw /mnt/fuse
Note that fsextmount takes an offset in bytes if you're copying the output from mmls multiply by the sector size:
fsextmount -o $(( 1024 * 512 )) image.raw /mnt/fuse
This will expose file entries contained in the ext volume.
/mnt/fuse/usr/bin/bash
If you get the error:
No sub system to mount FSEXT.
That means fuse was not detected when building the fsexttools, check if you have fuse-dev installed and if ./configure is able to detect it. The last part of the ./configure output shows you this in an overview.
There are several ways to obtain the volume offset.
- Linux fdisk
- mmls of the SleuthKit
On Linux you can run fdisk with the list option (-l):
sudo fdisk -l /dev/sda
Or directly on a partitioned RAW storage media image file:
fdisk -l image.raw
By default fuse prevents root access to the mount point when an ext volume is mounted. To enable this functionality first check the fuse documentation.
Make sure the fuse configuration file:
/etc/fuse.conf
Contains:
user_allow_other
Pass "allow_root" to the fuse sub system using the fsextmount -X option:
fsextmount -X allow_root image.raw /mnt/fuse
To mount an ext volume on Windows:
fsextmount -o 524288 image.raw x:
At the moment the fsextmount keeps a hold on the console.
This will expose a file system contained in the ext volume.
X:\FSEXT1
You can unmount /mnt/fuse using umount:
umount /mnt/fuse
Or fusermount:
fusermount -u /mnt/fuse
At the moment terminate the process running in the console.
First of all make sure to check the output of configure. If you're seeing something like the following output configure was unable to detect an usable fuse.
Building:
...
FUSE support: no
On Mac OS X:
- make sure that you only have OSXFuse installed and not another variant, like MacFuse, besides it.
- try adding the C pre processor flags that set the fuse API version, e.g.
CPPFLAGS=-DFUSE_USE_VERSION=26 ./configure
- if all else fails; file a support issue and attach config.log
On Ubuntu:
fusermount – failed to open /etc/fuse.conf – Permission denied
Make sure you're part of the group fuse:
sudo addgroup <username> fuse
If fusermount keeps complaining it cannot open fuse.conf:
sudo chmod o+r /etc/fuse.conf