Mount Disk Images

Forensic mounting of disk images on Linux. Covers raw dd, LVM2 physical volumes, E01 containers, multi-partition GPT images by sector offset, and guestmount as the manual-fail fallback. All mounts read-only with Linux-specific safety flags. Verified against Kali ewfmount 20140816, sleuthkit, libvirt-tools.

Side: blue

Always-first

file image.dd                                    # identify magic bytes - dictates the entire mount path
mkdir -p case_fs case_ewf                        # working dirs: filesystem, raw-from-E01

file output drives the decision: DOS/MBR or NTFS → simple loop mount, LVM2 PV → LVM chain, EWF/Expert Witness Format → ewf-tools, multi-partition disks → offset addressing.

Mount flags (forensic baseline)

Flag	Purpose
`ro`	read-only at the VFS layer; blocks atime updates and journal replay. Mandatory for evidence.
`noexec`	block direct execution of binaries on the mounted FS (Linux filesystems only)
`nodev`	ignore device nodes; an attacker can plant `/dev` entries that route to host kernel devices
`loop`	tell `mount` to allocate a loop device automatically for a regular file

noexec,nodev only matter for Linux native filesystems (ext, xfs, btrfs). FAT32 / NTFS cannot represent SUID binaries or device nodes and these flags are no-ops there.

Simple loop mount (single-partition raw / NTFS)

file image.dd                                              # confirm "DOS/MBR ... FAT32" or NTFS, sectors X
mmls image.dd                                              # one partition, starts at sector 0
 
sudo mount -o loop,ro image.dd case_fs                     # one-shot: mount + auto-loop
ls -la case_fs
 
sudo umount case_fs                                        # done; loop released automatically

mount -o loop releases the loop device on umount — no losetup -d needed when mount allocated it.

LVM2 physical volume

file reports LVM2 PV and bare mount fails with unknown filesystem type 'LVM2_member'. Walk the PV → VG → LV stack.

sudo losetup -f                                            # find a free loop device, e.g. /dev/loop0
sudo losetup /dev/loop0 image.dd                           # attach the image
 
sudo vgscan                                                # discover volume groups; reports VG name e.g. 'the_knack'
sudo vgchange -ay <vg_name>                                # activate; creates /dev/<vg>/<lv> nodes
sudo lvscan                                                # list logical volumes inside the VG
 
sudo mount -o noexec,nodev,ro /dev/<vg>/<lv> case_fs       # mount the LV
ls -la case_fs
 
# cleanup, in reverse order
sudo umount case_fs
sudo vgchange -an <vg_name>
sudo losetup -d /dev/loop0
sudo losetup -l                                            # confirm no entry remains for the image

Always use the loop device losetup -f reported. Snaps and prior images can occupy low loop numbers.

E01 (Expert Witness) containers

E01 is FTK Imager’s native format. Verify the embedded hash before mounting — if it does not match, the analysis is contaminated.

sudo apt install -y ewf-tools                              # one-time
 
ewfinfo  evidence.E01                                      # case number, examiner, evidence number, hashes
ewfverify evidence.E01                                     # rehashes the disk bytes inside the container
 
sudo ewfmount evidence.E01 case_ewf                        # surface raw image as case_ewf/ewf1 (FUSE, read-only)
file case_ewf/ewf1                                         # now identify the inner image

case_ewf/ewf1 is a regular file from this point on — treat it like a .dd.

# inner image is a single partition (NTFS / FAT)
sudo mount -o loop,ro case_ewf/ewf1 case_fs
ls case_fs
 
# cleanup unmounts both layers, inner first
sudo umount case_fs
sudo umount case_ewf

Multi-partition images by sector offset

When mmls shows multiple partitions, you cannot loop-mount the whole image. Pick a partition by sector offset and route a loop device at that offset.

sudo ewfmount big.E01 case_ewf                             # if E01; otherwise skip and use big.dd directly
 
sudo mmls case_ewf/ewf1                                    # forensic-aware: shows unallocated gaps
sudo sfdisk -l case_ewf/ewf1                               # shows partition labels (BIOS boot, Linux fs, etc.)

Use mmls for offsets, sfdisk -l for partition types. Read sector size from the sfdisk header (almost always 512).

# partition starts at sector 10489856; sector size 512 bytes
sudo losetup -o $((512 * 10489856)) /dev/loop0 case_ewf/ewf1
 
sudo mount -o noexec,nodev,ro /dev/loop0 case_fs
ls case_fs
 
# cleanup
sudo umount case_fs
sudo losetup -d /dev/loop0
sudo umount case_ewf

losetup -o takes bytes, not sectors. $((sector * sector_size)) keeps the arithmetic explicit and copy-paste safe.

guestmount (auto-detect fallback)

guestmount from libguestfs-tools auto-detects the partition table, picks every Linux filesystem on the disk, and stitches them together. The mount looks like a live root: /home, /var, /etc all under one path. Reach for it when the manual chain fails or you want the disk to look like the OS would see it.

sudo apt install -y libguestfs-tools                       # one-time
 
ewfmount evidence.E01 case_ewf                             # no sudo needed for guestmount workflow
guestmount --ro -i -a case_ewf/ewf1 case_fs
 
ls case_fs/home case_fs/var case_fs/etc                    # whole filesystem visible
 
# cleanup
umount case_fs
umount case_ewf

Flag	Effect
`--ro`	read-only (mandatory for evidence; guestmount defaults to writable)
`-i`	inspect: detect OS, mount each filesystem at its native path
`-a`	add disk; pass multiple `-a` for arrays

guestmount tears down its loop devices and VG activations on umount automatically.

Decision flow

graph TD
    img["disk image / E01"] --> file{"file <image>"}
    file -->|"DOS/MBR + single partition"| simple["mount -o loop,ro"]
    file -->|"LVM2 PV"| lvm["losetup -f<br/>vgscan / vgchange -ay<br/>mount LV"]
    file -->|"E01 / EWF"| ewf["ewfverify<br/>ewfmount<br/>re-run file on ewf1"]
    file -->|"multi-partition GPT/MBR"| multi["mmls + sfdisk<br/>losetup -o $((sector*512))"]
    file -->|"manual chain fails"| gm["guestmount --ro -i -a"]

Pitfalls

Default mount is read-write. Missing ro silently invalidates evidence (atime updates, journal replay, dirty inodes).
losetup /dev/loop0 succeeds even if loop0 is busy with a snap or prior image. Always losetup -f first and use what it reports.
noexec,nodev are mandatory on Linux filesystems. Without them, an accidental command path inside the mount can run attacker-supplied binaries on the host.
Skipping ewfverify means the analysis cannot make integrity claims about the evidence in the report.
losetup -o takes bytes, not sectors. Multiply by sector size from sfdisk -l.
Leaving a VG active across images causes the next vgscan to see stale state. vgchange -an after every LVM analysis.
Cleanup order matters: filesystem → VG → loop → ewf. Out of order leaves orphaned loop devices and stuck FUSE mounts that confuse the next case.

links:

Field Manual | Linux Forensics | Data Recovery | Forensic Tools

DFIR-Field-Manual

Explorer