Mounting Xen .xva archive
Xen XVA files are tar archives consisting of an XML file which describes the disk and a "Ref_XX" folder, which contains 1MB chunks of the disk. The process is; extract the archive, convert the archive to an img (smoosh the ref), list the partitions, mount the partitions.
wget https://necurity.co.uk/scripts/xenmigrate.py
python xenmigrate.py -c ./Ref_7 image.img
file image.img
fdisk -l image.img Mounting Virtualbox .vdi files
This is done through a kernel module, NBD (net block device?), and qemu. After this either mount the parts from fdisk, or mount the LVM.
$ modprobe nbd max_part=16
$ qemu-nbd -c /dev/nbd0
$ fdisk -l /dev/nbd0 Mounting Drives with LVM partition tables
LVM is not an image, before any of you start, but to mount them, set up a loop interface, map the partitions in the LVM, scan for groups, mount said groups, unmount *ALL* LVM groups, teardown the loop.
# Mount the stuff
$ losetup /dev/loop0 image.img
$ kpartx -a /dev/loop0
$ vgscan
$ vgchange -ay changethishostname-vg
$ mount /dev/changethishostname-vg/root mnt/
# Unmount the stuff
$ dmsetup remove_all
$ losetup -d /dev/loop0Mounting Ubuntu encrypted home folders : EcryptFS
EcryptFS is Ubuntu's way of protecting user home directories. However, the strength of this (I understand) is solely based on the user's local login password. This is due to the pass-phrase being stored in an encrypted format, which the key to decrypt this is the user login password. As the users home directory is the *ONLY* thing that is encrypted if the user has not selected full disk encryption during install, an attacker can read /etc/shadow, break the users password, read the passphrase, and then mount the system.
$ cd mnt/home/.ecryptfs/victim/.ecryptfs/
$ for i in a c e; do printf "%s" $i | ecryptfs-unwrap-passphrase .ecryptfs/victim/.ecryptfs/wrapped-passphrase -; done
# snip
Error: Unwrapping passphrase failed [-5]
Info: Check the system log for more information from libecryptfs
64597a9539b644185e42bbbc9e9fe26b
$ ecryptfs-add-passphrase --fnek
Passphrase: 64597a9539b644185e42bbbc9e9fe26b
Inserted auth tok with sig [e42bbd5a189d90ea] into the user session keyring
Inserted auth tok with sig [faa749e796daea5e] into the user session keyring
$ mount -t ecryptfs .ecryptfs/victim/.Private/ test/
Select key type to use for newly created files:
1) tspi
2) passphrase
Selection: 2
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [e42bbd5a189d90ea]: faa749e796daea5e
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=faa749e796daea5e
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=e42bbd5a189d90ea
Mounted eCryptfs
$ ls -la test/
total 72
drwx------ 2 user inetsim 4096 Apr 9 19:46 .
drwxr-xr-x 5 root root 4096 Apr 9 20:16 ..
-rw-r--r-- 1 user inetsim 220 Apr 9 19:46 .bash_logout
-rw-r--r-- 1 user inetsim 3637 Apr 9 19:46 .bashrc
lrwxrwxrwx 1 user inetsim 32 Apr 9 19:46 .ecryptfs -> /home/.ecryptfs/victim/.ecryptfs
-rw-r--r-- 1 user inetsim 8980 Apr 9 19:46 examples.desktop
lrwxrwxrwx 1 user inetsim 31 Apr 9 19:46 .Private -> /home/.ecryptfs/victim/.Private
-rw-r--r-- 1 user inetsim 675 Apr 9 19:46 .profile