We have some windows and linux instances on Amazon EC2. We recently got hacked one of the windows instances and had to stop it. The IT asked me to get the data from its disk by attaching the disk volume to a linux machine.
I had a RHEL 6 instance up and running and decided to use it to get the data from the windows ntfs disk. These are the steps performed:
* In the AWS management console, navigate to Elastic Block Store -> Volumes, select the ntfs disk volume and atach it to the linux instance, using the contextual menu.
* List block devices and identify the new device, corresponding to the windows disk
$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT xvde1 02:65 0 100G 0 disk / xvdk 202:160 0 100G 0 disk xvdk1 202:161 0 100G 0 part
My windows disk corresponds to the device xvdk1.
* Check the file system type on the new device
$ sudo file -s /dev/xvdk1 /dev/xvdk1: x86 boot sector, code offset 0x52, OEM-ID "NTFS ", sectors/cluster 8, reserved sectors 0, Media descriptor 0xf8, heads 255, hidden sectors 2048, dos < 4.0 BootSector (0x80)
The file system is NTFS. We need ntfs-3g to be able to mount it.
* install ntfs-3g
$ wget http://tuxera.com/opensource/ntfs-3g_ntfsprogs-2014.2.15.tgz $ tar xfvz ntfs-3g_ntfsprogs-2014.2.15.tgz $ cd ntfs-3g_ntfsprogs-2014.2.15 $ ./configure $ make $ sudo make install
Now we can mount the ntfs disk:
$ sudo mkdir /win_disk $ sudo mount -t ntfs-3g /dev/xvdk /win_disk/
This is it, now I can access the disk.