Mount disk image (raw)
Last updated
Was this helpful?
Last updated
Was this helpful?
Image mounting involves mounting the evidence disk image on the local system so the data on the disk can be analyzed and inspected.
Mount the evidence disk image and retrieve the flag!
First let’s check if /dev/sdc is mounted
I’ll browse to /mnt/evidence
From there I’ll copy the evidence.img file to the root directory
cp evidence.img /root
file evidence.img
From here we’ll create a directory called «analysis»
mkdir analysis
mount evidence.img /analysis
df -h
cd /analysis/root
cat flag.txt
First let’s check if /dev/sdc is mounted
I’ll browse to /mnt/evidence
From there I’ll copy the evidence.img file to the root directory
cp evidence.img /root
From here we’ll create a directory called «evidence2»
mkdir evidence2
mount evidence.img /analysis
This time we get an error back and coun't mount the img file.
With help of fdisk we can read out the start sector
fdisk -l evidence.img
We try to remount the image with the following command:
mount evidence.img evidence2/ -o ro,offset=$((2048*512))
In this lab, an evidence hard disk image is present on an external disk mounted on ‘/dev/sdc’. The are installed on the lab machine. Also, a flag file is kept in the /root directory of the disk image filesystem.
