ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Mounting Disk Images"

From ForensicsWiki
Jump to: navigation, search
(Free Tools)
(One intermediate revision by the same user not shown)
Line 79: Line 79:
== Free Tools ==
== Free Tools ==
* [ FTK Imager v.3.0]
* [ ImDisk] - also on [ WikiPedia]
* [ ImDisk] - also on [ WikiPedia]
* Paraben's [ P2 Explorer]
* Paraben's [ P2 Explorer]
* [ VDKWin], requires [ VDK]
* [ VDKWin], requires [ VDK]
* [ vhdtool] - an unsupported MS tool that you can use to convert a raw/dd image to a VHD file and mount as a read-only volume via Disk Manager
== Commercial Tools ==
== Commercial Tools ==

Revision as of 20:35, 23 August 2011


To mount a disk image on FreeBSD:

First attach the image to unit #1:

 # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1

Then mount:

 # mount -t msdos /dev/md1s1 /mnt
 # ls /mnt

To unmount:

 # umount /mnt
 # mdconfig -d -u 1

To mount the image read-only, use:

 # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 # mount -o ro -t msdos /dev/md1s1 /mnt


To mount a disk image on Linux

# mount -t vfat -o loop,ro,noexec img.dd /mnt

The ro is for read-only.

This will mount NSRL ISOs:

 # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec 

Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.

# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2


Mounting raw images with multiple partitions is easy with kpartx. Type aptitude install kpartx as root to install kpartx under Debian. kpartx is creating device-mappings for each partition. If the raw image looks like this:

       Device        Boot      Start       End      Blocks Id  System
    rawimage.dd1               1           1        8001   83  Linux
    rawimage.dd2               2           2        8032+   5  Extended
    rawimage.dd5               2           2        8001   83  Linux

The command

#   kpartx -v -a rawimage.dd

creates these mappings


The partitions can be mounted with these commands:

# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro

Don't forget the switch -o ro !

To unmount

# umount /mnt

Mounting Images Using Alternate Superblocks


MS Windows does not include a native means for mounting acquired images. However, there are tools available for mounting acquired images on Windows systems.

Free Tools

Commercial Tools