# Mount disk image (raw)
### 1. Introduction
> Image mounting involves mounting the evidence disk image on the local system so the data on the disk can be analyzed and inspected.
In this lab, an evidence hard disk image is present on an external disk mounted on ‘/dev/sdc’. The [**dd tools**](https://en.wikipedia.org/wiki/Dd_\(Unix\)) are installed on the lab machine. Also, a flag file is kept in the /root directory of the disk image filesystem.
Mount the evidence disk image and retrieve the flag!
### 2. mount raw disk part 1
First let’s check if /dev/sdc is mounted
I’ll browse to /mnt/evidence
From there I’ll copy the evidence.img file to the root directory
`cp evidence.img /root`
`file evidence.img`
From here we’ll create a directory called «analysis»
`mkdir analysis`
`mount evidence.img /analysis`
`df -h`
### 3. Grab flag 1
`cd /analysis/root`
`cat flag.txt`
### 4. mount raw disk part 2
First let’s check if /dev/sdc is mounted
I’ll browse to /mnt/evidence
From there I’ll copy the evidence.img file to the root directory
`cp evidence.img /root`
From here we’ll create a directory called «evidence2»
`mkdir evidence2`
`mount evidence.img /analysis`
This time we get an error back and coun't mount the img file.
With help of fdisk we can read out the start sector
`fdisk -l evidence.img`
We try to remount the image with the following command:
`mount evidence.img evidence2/ -o ro,offset=$((2048*512))`
### 5. Grab flag 2
### 6. Summary
{% embed url="" %}
