Mount disk image (raw)

1. Introduction

Image mounting involves mounting the evidence disk image on the local system so the data on the disk can be analyzed and inspected.

In this lab, an evidence hard disk image is present on an external disk mounted on ‘/dev/sdc’. The dd tools are installed on the lab machine. Also, a flag file is kept in the /root directory of the disk image filesystem.

Mount the evidence disk image and retrieve the flag!

2. mount raw disk part 1

First let’s check if /dev/sdc is mounted

I’ll browse to /mnt/evidence

From there I’ll copy the evidence.img file to the root directory

cp evidence.img /root

file evidence.img

From here we’ll create a directory called «analysis»

mkdir analysis

mount evidence.img /analysis

df -h

3. Grab flag 1

cd /analysis/root

cat flag.txt

4. mount raw disk part 2

First let’s check if /dev/sdc is mounted

I’ll browse to /mnt/evidence

From there I’ll copy the evidence.img file to the root directory

cp evidence.img /root

From here we’ll create a directory called «evidence2»

mkdir evidence2

mount evidence.img /analysis

This time we get an error back and coun't mount the img file.

With help of fdisk we can read out the start sector

fdisk -l evidence.img

We try to remount the image with the following command:

mount evidence.img evidence2/ -o ro,offset=$((2048*512))

5. Grab flag 2

6. Summary