In Linux/Unix or perhaps in every computer system, a term mounting is defined as attaching additional filesystem to the currently accessible filesystem of a computer. As we know, a filesystem is hierarchy of directories (also referred to as a directory tree) that is used to organize files on a computer or storage media.
We might familiar or maybe remember how to mount a partition well. But that’s when the partition is inside a storage media or physical medium. What if the partition we want to access is in form of disk image? Here, we will discuss it.
In this article I use:
- Slackware64 14.0
- dumped image from 4GB SD-card, using dd
A disk image is a single file or storage device containing the complete contents and structure representing a data storage medium or device, such as hard drive, tape drive, floppy disk, optical disc, or USB flash drive. A disk image is usually created by creating a complete sector-by-sector copy of the source medium and thereby perfect replicating the structure and contents of a storage device.
In Linux, we can create disk image using dd utility. Assuming we want to create disk image of a SD-card which is recognized as /dev/sdb as MyDiskImage.img:
dd if=/dev/sdb of=MyDiskImage.img
Partition and Partition Table
As said, disk image is perfect copy of a storage media. Therefore we got very same bit of partition and partition table. Nothing is modified, unless you alter it. Therefore, we can still read the partition table like what we do on physical storage medium.
We can use fdisk to see the partition table of a disk image:
We know that Linux and Unix list all recognized device as device nodes. They are treated like ordinary file and stored on /dev, like /dev/sda for first SCSI storage device we have. However, not many of us know some pseudo-devices on this directory. One of them is loop device /dev/loop*.
This is special node that we will use for mounting an image.
How to Mount
There are some steps we have to do so we can mount a partition inside of disk image.
Know the Offset
We have to know where is the offset of partition. Clearly we need to know where the partition start and where the partition end. Although, we only need the offset of beginning of the partition. To do that, we can use fdisk to peek on partition table. For example:
Here’s how my partition looks like.
Disk MyDiskImage.img: 691 MB, 691798016 bytes 255 heads, 63 sectors/track, 84 cylinders, total 1351168 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x0002c262 Device Boot Start End Blocks Id System 2013-09-25-wheezy-raspbian.img1 8192 122879 57344 c W95 FAT32 (LBA) 2013-09-25-wheezy-raspbian.img2 122880 5785599 2831360 83 Linux
What we want to know is the offset, which is in byte-level. However fdisk tell us about sectors. Fortunately we can convert the offset in sector to bytes by multiplying it with the size of sector. In our case, one sector is 512 bytes.
Let say we want to mount partition 2, which is ext4. We calculate the offset for this partition.
122880 * 512 = 62914560
Save this value.
The actual mounting. Mounting process is similar when we mount normal partition. However, this time we use loopback device and use one argument we never use before, “offset”. Basically, offset tell mount utility to skip the data on particular to offset.
Here how we do:
mount -o loop,offset=62914560 MyDiskImage.img /mnt/mount_point
Here we mount partition 2, which is located on 62914560 bytes after the beginning of the file. The partition should be mounted to our mount point (/mnt/mount_point). Unless you have an unknown filesystem, this command shouldn’t be fail.disk, forensic, linux