Page MenuHomePhabricator

No OneTemporary

Size
15 KB
Referenced Files
None
Subscribers
None
diff --git a/trunk/README b/trunk/README
index e504bfa..c227af6 100644
--- a/trunk/README
+++ b/trunk/README
@@ -1,224 +1,223 @@
XMOUNT README FILE v0.7.x
Table of contents
0.0 Author and license stuff
1.0 What is xmount? - A short description
2.0 Input image support
2.1 libxmount_input_raw
2.2 libxmount_input_ewf
2.3 libxmount_input_aewf
2.4 libxmount_input_aff
2.5 libxmount_input_aaff
3.0 Morphing support
3.1 libxmount_morphing_combine
3.2 libxmount_morphing_raid
3.3 libxmount_morphing_unallocated
4.0 Output image
4.1 Emulated RAW file
4.2 Emulated DMG file
4.3 Emulated VDI file
4.4 Emulated VMDK file
4.5 Emulated VHD file
5.0 Virtual write access
6.0 Installation instructions
6.1 Prerequisits
6.1 Install from a package
6.2 Install from source
- 7.0 xmount command line parameters
- 7.1 xmount usage examples
+ 7.0 xmount usage examples
0.0 Author and license stuff
xmount Copyright (c) 2008-2015 by Gillen Daniel <gillen.dan@pinguin.lu>
This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later
version.
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program. If not, see <http://www.gnu.org/licenses/>.
---
Due to AFFLIB, I have to mention that:
This product includes software developed by Simson L. Garfinkel and Basis
Technology Corp.
1.0 What is xmount? - A short description
xmount allows you to convert on-the-fly between multiple input and output
harddisk image formats. xmount creates a virtual file system using FUSE
(Filesystem in Userspace) that contains a virtual representation of the input
image.
The virtual representation can be in raw DD, Apple's Disk Image format (DMG),
VirtualBox's virtual disk file format (VDI), Microsoft's Virtual Hard Disk
Image format (VHD) or in VmWare's VMDK file format.
Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF
(Advanced Forensic Format) files.
In addition, xmount also supports virtual write access to the output files
that is redirected to a cache file. This makes it for example possible to boot
acquired harddisk images using QEMU, KVM, VirtualBox, VmWare or alike.
2.0 Input image support
Starting with version 0.7.0, input image support has been moved into external
libraries. The following chapters list the officially supported ones. They
might not all be available on your system though.
2.1 libxmount_input_raw
Supports raw DD images ("--in raw" or "--in dd").
2.2 libxmount_input_ewf
Supports EWF (Expert Witness Compression Format) images ("--in ewf") using
Joachim Metz's libewf (https://code.google.com/p/libewf/).
2.3 libxmount_input_aewf
Supports EWF (Expert Witness Compression Format) images ("--in aewf")
generated with Guymager (http://guymager.sourceforge.net/). This library
uses an EWF implementation written by Guy Voncken. It consumes much less
memory than libewf when mounting big (>1TB) images.
2.4 libxmount_input_aff
Supports AFF (Advanced Forensic Format) images ("--in aff") using Simson
Garfinkel's afflib (https://github.com/simsong/AFFLIBv3).
2.5 libxmount_input_aaff
Supports AFF (Advanced Forensic Format) images ("--in aaff") using an AFF
implementation written by Guy Voncken. In essence, it is a lot faster than
afflib.
3.0 Morphing support
Also starting with xmount version 0.7.0, a new concept of input image morphing
has been added. Morphing is a process which is applied to the data of all
specified input images and produces a single virtual image which can then be
converted into an output image. The following chapters list the currently
officially supported morphing libraries. As with the input image libs, not all
might be available on your system.
3.1 libxmount_morphing_combine
Using "--morph combine", data from all input images is concatenated into
a single image. Images are appended in the same order they are specified on
the command line. This morphing type is also the default if no "--morph"
option is specified.
3.2 libxmount_morphing_raid
This morphing library supports emulation of hardware / software raid.
Currently, only RAID0 ("--morph raid0") is supported. The used chunk /
stripe size in bytes can be specified with "--morphopts raid_chunksize=XXX".
All input images are treated as member disks of the original raid.
3.3 libxmount_morphing_unallocated
Using "--morph unallocated" it is possible to extract unallocated sectors
from a filesystem. For this to work, your input image must start with the
volume you want to extract unallocated sectors from. If you have an image of
a whole disk, you might need to use xmounts "--offset" parameter to move the
start of the data to the start of the volume. Currently, unallocated
sectors from HFS and FAT can be extracted.
4.0 Output image
4.1 Emulated RAW file
This is the standard data representation used by xmount. It is a file
containing the raw data contained in the input image file. Except for OSx
(see 4.2) this is the default output format when no --out option is
specified.
4.2 Emulated DMG file
This is also a file containing the raw data contained in the input image
file but with a .dmg file extension. On OSx, this is the default output
format when no --out option is specified.
4.3 Emulated VDI file
When using the "--out vdi" command line parameter, a VirtualBox disk file
is emulated. This means that xmount builds a virtual VDI header and prepends
it to the raw data contained in the input image. The VDI file can be used in
VirtualBox as a virtual disk file.
4.4 Emulated VMDK file
When using the "--out vmdk(s)" command line paramter, a VMWare virtual disk
file will be emulated. This mainly consists in building a VMDK descriptor
file that will access an emulated RAW file. You can use this VMDK file to
add your input image as virtual disk to a VMWare virtual machine. "vmdk" is
a VMWare disk attached to the IDE bus and "vmdks" is attached to the SCSI
bus.
When emulating VMDK files to be used in VMWare, you have to enable
"user_allow_other" in /etc/fuse.conf or run xmount and VmWare as root.
WARNING: VMDK support should be considered experimental and currently the
VMDK descriptor file isn't cached.
4.5 Emulated VHD file
When using the "--out vhd" command line parameter, a Virtual Hard Disk Image
file is emulated by appending to the raw data a valid VHD footer. Valid here
means as described in Microsoft's Virtual Hard Disk Image Format specs v1.
5.0 Virtual write access
By using the "--cache <cache_file>" command line parameter, xmount allows
you to change data in the emulated image files. All changes are written to a
separate cache file. No data will ever be written to the original input
image files! Write access is limited to change existing data. It isn't
possible to change the emulated image's file size (no append or truncate)!
The same cache file can be used with different output image formats without
loosing changed data.
6.0 Installation instructions
To install xmount, you can use a prebuild package for your distribution or
you can build xmount from source. The two methods are described in the
following sections.
6.1 Prerequisits
SYSTEM:
- Linux: Some sort of Linux with a recent kernel (2.6.x or above).
- OSx: OSx 10.6 or above
FUSE:
Your OS must support FUSE and have the appropriate libraries installed.
(See http://fuse.sourceforge.net/ for more informations). On OSx, you can
use OSXFuse (https://osxfuse.github.io/) as replacement. To be able to
install from source, you also need the FUSE header files.
LIBEWF:
To enable EWF input image support. Get it from
http://sourceforge.net/projects/libewf/
LIBAFF:
To enable AFF input image support. Get it from http://www.afflib.org/
6.2 Install from a package
Chances are I provide prebuild binary packages for Debian / Ubuntu and OSx.
In this case, you only have to fire up your distribution's package manager
and install xmount. See https://www.pinguin.lu/xmount for more information
and download links.
6.3 Install from source
After having checked the prerequisits, you should be able to compile and
install xmount by simply issuing the following commands:
$ mkdir build
$ cd build
$ cmake -DCMAKE_BUILD_TYPE=Release ..
$ make
$ sudo make install
-7.1 xmount usage examples
+7.0 xmount usage examples
To xmount an EWF harddisk image from your acquired disk as a raw DD image
under /mnt, use the following command:
xmount --in ewf ./acquired_disk.E?? /mnt
To xmount the same ewf image as vdi file, you would use a command like this:
xmount --in ewf ./acquired_disk.E?? --out vdi /mnt
And to enable virtual write support on a raw DD input image xmounted as VDI
file:
xmount --in raw ./acquired_disk.dd --out vdi --cache ./disk.cache /mnt
EOF
diff --git a/trunk/xmount.1 b/trunk/xmount.1
index 4b75e80..d027712 100644
--- a/trunk/xmount.1
+++ b/trunk/xmount.1
@@ -1,85 +1,85 @@
.\"
-.TH "xmount" "1" "Sep 26, 2014" "Daniel Gillen" "xmount"
+.TH "xmount" "1" "Aug 20, 2015" "Daniel Gillen" "xmount"
.SH "NAME"
xmount \- Tool to crossmount between multiple input and output harddisk image files
.SH "SYNOPSIS"
.B xmount
[fopts] <xopts> <mntp>
.br
.SH "DESCRIPTION"
.B xmount
allows you to convert on-the-fly between multiple input and output
harddisk image formats. xmount creates a virtual file system using FUSE
(Filesystem in Userspace) that contains a virtual representation of the input
image.
The virtual representation can be in raw DD, Apple's Disk Image format (DMG),
VirtualBox's virtual disk file format (VDI), Microsoft's Virtual Hard Disk
Image format (VHD) or in VmWare's VMDK file format.
Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF
(Advanced Forensic Format) files.
In addition, xmount also supports virtual write access to the output files
that is redirected to a cache file. This makes it possible to boot acquired
harddisk images using QEMU, KVM, VirtualBox, VmWare or alike.
.br
.SH "OPTIONS"
.B
fopts: (Options specific to FUSE)
\-d: Enable FUSE's and xmount's debug mode.
\-h: Display this help message.
\-s: Run single threaded.
\-o no_allow_other: Disable automatic addition of FUSE's allow_other option.
\-o <fmopts> :
Specify fuse mount options. Will also disable automatic addition of FUSE's
allow_other option!
.br
.B
xopts: (Options specific to xmount)
\-\-cache <cfile> : Enable virtual write support.
<cfile> specifies the cache file to use.
\-\-in <itype> <ifile> : Input image format and source file(s). May be specified multiple times.
For a list of supported <itype> types, run xmount \-\-info and look under "loaded input libraries".
<ifile> specifies the source file. If your image is split into multiple files, you have to specify them all!
\-\-inopts <iopts> : Specify input library specific options.
<iopts> specifies a comma separated list of key=value options.
\-\-info : Print out infos about used compiler and loaded libraries.
\-\-morph <mtype> : Morphing function to apply to input image(s). If not specified, defaults to "combine".
For a list of supported <mtype> types, run xmount \-\-info and look under "loaded morphing libraries".
\-\-morphopts <mopts> : Specify morphing library specific options.
<mopts> specifies a comma separated list of key=value options.
\-\-offset <off> : Move the output image data start <off> bytes into the input image(s).
\-\-out <otype> : Output image format. If not specified, defaults to "raw".
<otype> can be "raw", "dmg", "vdi", "vhd", "vmdk", "vmdks".
\-\-owcache <file> : Same as \-\-cache <file> but overwrites existing cache file.
\-\-sizelimit <size> : The data end of input image(s) is set to no more than <size> bytes after the data start.
\-\-version : Same as \-\-info.
.br
.B
mntp:
Mount point where virtual files should be located.
.br
.SH "BUGS"
Hopefully none. If you find any, please e\-mail to <bugs@pinguin.lu>.
.SH "EXAMPLE"
To xmount an EWF image from your acquired disk as a raw DD image under /mnt,
use the following command:
xmount \-\-in ewf ./acquired_disk.E?? /mnt
To xmount the same ewf image as vdi file, you would use a command like this:
xmount \-\-in ewf ./acquired_disk.E?? \-\-out vdi /mnt
And to enable virtual write support on a raw DD input image xmounted as VDI
file:
xmount \-\-in raw ./acquired_disk.dd \-\-out vdi --cache ./disk.cache /mnt
diff --git a/trunk/xmount.spec b/trunk/xmount.spec
index 70bd564..611f67c 100644
--- a/trunk/xmount.spec
+++ b/trunk/xmount.spec
@@ -1,61 +1,61 @@
%define debug_package %{nil}
Name: xmount
Summary: Tool to crossmount between multiple input and output harddisk images
-Version: 0.7.3
+Version: 0.7.4
Release: 1%{?dist}
License: GPL
Group: Applications/System
URL: https://www.pinguin.lu/xmount
Source0: %{name}-%{version}.tar.gz
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root
Requires: fuse zlib libewf afflib
BuildRequires: cmake fuse-devel zlib-devel libewf-devel afflib-devel
%description
xmount allows you to convert on-the-fly between multiple input and output
harddisk image formats. xmount creates a virtual file system using FUSE
(Filesystem in Userspace) that contains a virtual representation of the input
harddisk image. The virtual representation can be in raw DD, Apple's Disk Image
format (DMG), VirtualBox's virtual disk file format (VDI), Microsoft's Virtual
Hard Disk Image format (VHD) or in VmWare's VMDK file format. Input images can
be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic
Format) files. In addition, xmount also supports virtual write access to the
output files that is redirected to a cache file. This makes it for example
possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VMware
or alike.
%prep
%setup -q
%build
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_SKIP_RPATH=ON -DCMAKE_INSTALL_PREFIX=%{_prefix} ..
make %{?_smp_mflags}
%install
cd build
%{__make} DESTDIR=%{buildroot} install
%clean
rm -fr %{buildroot}
%post
%preun
%postun
%files
%defattr(-,root,root)
%{_bindir}/*
%{_mandir}/*
%{_exec_prefix}/lib/%{name}/*.so
%doc AUTHORS COPYING INSTALL NEWS README ROADMAP
%changelog
-* Wed Aug 13 2014 Daniel Gillen <gillen.dan@pinguin.lu> 0.7.3-1
-* Release 0.7.3-1
- See ChangeLog for details
+* Wed Aug 20 2015 Daniel Gillen <gillen.dan@pinguin.lu> 0.7.4-1
+* Release 0.7.4-1
+ See NEWS for details
— build package

File Metadata

Mime Type
text/x-diff
Expires
Mon, Dec 23, 10:59 AM (5 h, 55 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1176625
Default Alt Text
(15 KB)

Event Timeline