ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Mounting Disk Images

From ForensicsWiki
Revision as of 22:39, 9 November 2009 by Keydet89 (Talk | contribs)

Jump to: navigation, search


To mount a disk image on FreeBSD:

First attach the image to unit #1:

 # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1

Then mount:

 # mount -t msdos /dev/md1s1 /mnt
 # ls /mnt

To unmount:

 # umount /mnt
 # mdconfig -d -u 1

To mount the image read-only, use:

 # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 # mount -o ro -t msdos /dev/md1s1 /mnt


To mount a disk image on Linux

# mount -t vfat -o loop,ro,noexec img.dd /mnt

The ro is for read-only.

This will mount NSRL ISOs:

 # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec 

Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.

# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2


Mounting raw images with multiple partitions is easy with kpartx. Type aptitude install kpartx as root to install kpartx under Debian. kpartx is creating device-mappings for each partition. If the raw image looks like this:

       Device        Boot      Start       End      Blocks Id  System
    rawimage.dd1               1           1        8001   83  Linux
    rawimage.dd2               2           2        8032+   5  Extended
    rawimage.dd5               2           2        8001   83  Linux

The command

#   kpartx -v -a rawimage.dd

creates these mappings


The partitions can be mounted with these commands:

# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro

Don't forget the switch -o ro !

To unmount

# umount /mnt

Mounting Images Using Alternate Superblocks


MS Windows does not include a native means for mounting acquired images. However, there are tools available for mounting acquired images on Windows systems.

Free Tools

Commercial Tools