Mount image file under Linux
Sometimes you just *need* to mount an image file under Linux (ie. forensics and/or data recovery).
This isn’t always easy if you DD the disk, then you need to work out the partition maths.
Easiest way is to ‘fisk -l’ the image file:
root@HackerBox:~/forensics# fdisk -l /mnt/temp/ewf1 Disk /mnt/temp/ewf1: 10 GiB, 10737418240 bytes, 20971520 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x39bf39be Device Boot Start End Sectors Size Id Type /mnt/temp/ewf1p1 * 63 20948759 20948697 10G 7 HPFS/NTFS/exFAT
From the above you should see ‘Sectors’ are 512 bytes (pretty normal for NTFS) and the partition starts at 63 (sectors) in.
So finally all we need to do is mount the image with the command:
mount /mnt/temp/ewf1 /mnt/temp1 -o ro,loop,show_sys_files,streams_interace=windows,offset=$((63*512))
You can possibly leave out the ’show_sys_files,streams_interace=windows’ parameters if you aren’t doing forensics.