> For the complete documentation index, see [llms.txt](https://cas-cyber.gitbook.io/cas-cybersecurity/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cas-cyber.gitbook.io/cas-cybersecurity/forensic-exercises/disk-forensics/mount-disk-image-raw.md).

# Mount disk image (raw)

![](/files/DicurCyqgCTK0ta6SWXx)

### 1. Introduction

> Image mounting involves mounting the evidence disk image on the local system so the data on the disk can be analyzed and inspected.

In this lab, an evidence hard disk image is present on an external disk mounted on ‘/dev/sdc’. The [**dd tools**](https://en.wikipedia.org/wiki/Dd_\(Unix\)) are installed on the lab machine. Also, a flag file is kept in the /root directory of the disk image filesystem.

Mount the evidence disk image and retrieve the flag!

### 2. mount raw disk part 1

First let’s check if /dev/sdc is mounted

![](/files/eD2ATrKIJm1vBv8xUQaY)

I’ll browse to /mnt/evidence

![](/files/Pp3XUKaSoWvGTY0hwyb9)

From there I’ll copy the evidence.img file to the root directory

`cp evidence.img /root`

`file evidence.img`

<div align="left"><img src="/files/RPDcJDOwFYQdzlHffouL" alt=""></div>

From here we’ll create a directory called «analysis»

`mkdir analysis`

`mount evidence.img /analysis`

`df -h`

![](/files/M23t67vJc01RYXM7picv)

### 3. Grab flag 1

`cd /analysis/root`

`cat flag.txt`

![](/files/YDSFDc3Dxwhx9VvD69WU)

### 4. mount raw disk part 2

First let’s check if /dev/sdc is mounted

<div align="left"><img src="/files/HHLXJB4bmTKqxyzOvjHm" alt=""></div>

I’ll browse to /mnt/evidence

From there I’ll copy the evidence.img file to the root directory

`cp evidence.img /root`

<div align="left"><img src="/files/YATFAvkGL3lFCuey5Rsd" alt=""></div>

From here we’ll create a directory called «evidence2»

`mkdir evidence2`

`mount evidence.img /analysis`

<div align="left"><img src="/files/BcIMvp6sj4scHmqASXrk" alt=""></div>

This time we get an error back and coun't mount the img file.

With help of  fdisk we can read out the start sector&#x20;

`fdisk -l evidence.img`

<div align="left"><img src="/files/FNjgMOxDfRsH1gKxofVC" alt=""></div>

We try to remount the image with the following command:

`mount evidence.img evidence2/ -o ro,offset=$((2048*512))`

<div align="left"><img src="/files/AZkhqhH3kS5uDk7z0EZ6" alt=""></div>

### 5. Grab flag 2

<div align="left"><img src="/files/BqEIPlY2h0qNGfBqmDtk" alt=""></div>

### 6. Summary

{% embed url="<https://vimeo.com/677725908>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cas-cyber.gitbook.io/cas-cybersecurity/forensic-exercises/disk-forensics/mount-disk-image-raw.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.