-
Notifications
You must be signed in to change notification settings - Fork 28
Mounting
To mount a Volume Service Snapshot (VSS) volume you can use vshadowmount.
There is support for the following back-ends:
- Dokan library
- fuse
- OSXFuse
To build vshadowmount see Building.
To mount a VSS volume you can either:
- mount it directly from a device file;
- mount it directly our of a RAW storage media image at a certain offset.
To mount directly from a device file:
vshadowmount /dev/sda2 /mnt/vssvolume/
To mount directly our of a RAW storage media image at a certain offset:
vshadowmount -o 524288 image.raw /mnt/vssvolume/
Note that vshadowmount takes an offset in bytes if you're copying the output from mmls multiply by the sector size:
vshadowmount -o $(( 1024 * 512 )) image.raw /mnt/vssvolume/
This will expose a device file that provides the RAW volume data contained in the VSS volume.
/mnt/vssvolume/vss1
If you get the error:
No sub system to mount VSS volume.
That means fuse was not detected when building the vshadowtools, check if you have fuse-dev installed and if ./configure is able to detect it. The last part of the ./configure output shows you this in an overview.
You can now mount the device file as a loopback device:
mount -o loop,ro /mnt/vssvolume/vss1 /mnt/ntfs_file_system
There are several ways to obtain the volume offset.
- Linux fdisk
- mmls of the SleuthKit
On Linux you can run fdisk with the list option (-l):
sudo fdisk -l /dev/sda
Or directly on a partitioned RAW storage media image file:
fdisk -l image.raw
By default fuse prevents root access to the mount point when a VSS volume is mounted. To enable this functionality first check the fuse documentation.
Make sure the fuse configuration file:
/etc/fuse.conf
Contains:
user_allow_other
Pass "allow_root" to the fuse sub system using the vshadowmount -X option:
vshadowmount -X allow_root image.raw /mnt/vssvolume/
To mount a VSS volume on Windows:
vshadowmount -o 524288 image.raw x:
At the moment the vshadowmount keeps a hold on the console.
This will expose a device file that provides the RAW volume data contained in the VSS volume.
X:\VSS1
You can unmount /mnt/vssvolume/ using umount:
umount /mnt/vssvolume/
Or fusermount:
fusermount -u /mnt/vssvolume/
At the moment terminate the process running in the console.
First of all make sure to check the output of configure. If you're seeing something like the following output configure was unable to detect an usable fuse.
Building:
...
FUSE support: no
On Mac OS X:
- make sure that you only have OSXFuse installed and not another variant, like MacFuse, besides it.
- try adding the C pre processor flags that set the fuse API version, e.g.
CPPFLAGS=-DFUSE_USE_VERSION=26 ./configure
- if all else fails; file a support issue and attach config.log
On Ubuntu:
fusermount – failed to open /etc/fuse.conf – Permission denied
Make sure you're part of the group fuse:
sudo addgroup <username> fuse
If fusermount keeps complaining it cannot open fuse.conf:
sudo chmod o+r /etc/fuse.conf