Linux Mount Encrypted Dmg
Recently there has been some questions on the forums and Twitter as to how to mount forensic disk images that were captured from Mac system that implemented 4k block sizes. A few years ago, Mac systems started to use 4k blocks instead of 512 byte block sizes. This has caused some issues where you need to mount the image to do analysis without a major forensic suite. BlackBag wrote a good blog article on this last month however I hope to expand on it just a bit to include E01 files and FileVault encryption scenarios.
How to mount Mac APFS images in Windows APFS is the new file system for Mac OS, and so far, many forensic suites are playing catch up as far as support goes. As such, workarounds may need to be employed in order to conduct analysis on Mac OS APFS images.
DMG Extractor is probably the first and only tool designed exclusively to deal with DMG files on Windows OS. Since DMG Extractor is developed specially for DMG files, it can open encrypted.DMG files without having to first convert them to other formats. Raw, Bzip2, Zlib, and Zero block type DMG files are supported by DMG Extractor. Mount the Encrypted Disk Image To mount the encrypted disk image in the future, locate its file on your hard drive—it will have the.dmg file extension—and double-click it. You’ll be asked for the encryption password you provided while setting it up. Jul 30, 2011 Welcome to LinuxQuestions.org, a friendly and active Linux Community. You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features.
I will also detail how to mount the forensic disk images using newer APFS file system so analysts can start to do their thing while all the forensic tools catch up! APFS disk images already appear to use 4k block sizes as the default, at least on all my test systems. If you see otherwise, please let me know!
This article will try to provide some options to mount these images, however it cannot solve all the issues or combinations of disks/block sizes/host operating systems – it seems that you will have to upgrade to 10.13 at some point to solve many of these problems.
The following steps will bring you from a full HFS+ FileVault 4k disk image in EWF format to a mounted image using macOS 10.13. (If you have a raw (non-EWF) image, you can bypass steps 1 and 3.)
$ sudo mkdir /Volumes/4k_image/
$ sudo mkdir /Volumes/4k_mounted/
$ sudo xmount --in ewf --out dmg 4k.E01 /Volumes/4k_image/
$ hdiutil attach –nomount –blocksize 4096 /Volumes/4k_image/4k.dmg
[Input Password in Prompt Window]
$ diskutil cs list
$ sudo mount_hfs –o rdonly,noexec,noowners /dev/disk# /Volumes/4k_mounted/
1. Create a mount point to put the xmount converted DMG image (converted from EWF format). [sudo is required when dealing with /Volumes/ since 10.12]
2. Create another mount point to put the mounted image on. This will act as the root volume for the mounted image.
3. Using xmount (sudo required) to convert from EWF (--in) to DMG (--out) format. DMG is selected here since it is very Mac friendly. Provide the E01 image (use E?? if using segments) and the converted image mount point created in Step 1. This could take a few seconds if the disk image is large. Theoretically you can use another mounting utility, I've tried ewfmount on 10.13 and ran into errors that I'm still investigating. Having trouble installing Xmount? Does it say OS X Fuse is not installed? Look in the comments section for a fix.
4. Using hdiutil, attach (but don’t yet mount) the DMG file created in Step 3. Using the hidden argument –blocksize we can specify 4096 (‘4k’ can also be used here). It is worth noting here that while hidden in 10.13 this option does not appear to exist in 10.12 versions of this utility. It is also is not detailed in the hdiutil man page. Gotta love hidden functionality! This will output a bunch of /dev/disk* options, however none of these are the ones you need thanks to CoreStorage.
5. If the image is FileVault encrypted a password window will appear, please put the password for the disk in here so it can be unlocked.
- If you want to do this all via the command line (you rock!) you can pass –stdinpass to the hdiutil command in Step 4 where it will prompt you for the password.
- You will then need to use ‘diskutil cs unlockVolume <LogicalVolumeGUID> ‘ after determining the Logical Volume GUID to use by using ‘diskutil cs list’. (Similar to Step 6) Note the Lock Status highlighted in the screenshots below.
6. Next use ‘diskutil cs list’ to determine which disk to using in Step 7. Determine which volume you will be performing analysis on, in the screenshot above it is /dev/disk6.
7. Using mount_hfs (with sudo again) we can mount /dev/disk6 (the ‘#’ is just a variable used above, yours may be a different number) using a variety of options (you can choose your own, however I normally use read only, ignore ownership, and limit binary execution options. Also provide it the second mount point you created in Step 2.
If it all works out, congrats you now have a mounted image!
A similar approach can be used for new APFS disk images. Anyone who has tried to capture their disk images in 10.13 might have had a problem doing so due to System Integrity Protection (SIP). SIP is now protecting /dev and will likely make forensic acquisition and analysis more difficult if you happen to interact with /dev often. Easy fix – disable SIP. While not technically good for security purposes, it can be a general pain in the posterior to have on. To disable it, reboot into Recovery mode, open the Terminal and type ‘csrutil disable’ and restart the system. Yes, you can re-enable it later with ‘csrutil enable’.
- $ sudo mkdir /Volumes/apfs_image/
- $ sudo mkdir /Volumes/apfs_mounted/
- $ sudo xmount --in ewf --out dmg apfs.E01 /Volumes/apfs_image/
- $ hdiutil attach –nomount /Volumes/apfs_image/apfs.dmg
- $ diskutil ap list
- $ diskutil ap unlockVolume <Disk GUID> –nomount
- $ sudo mount_apfs –o rdonly,noexec,noowners /dev/disk# /Volumes/apfs_mounted/
Because it is so similar to the process above, my description of each step here will be limited. In Step 4 we do not need to use –blocksize as it just happens to work without it. In Step 5, instead of ‘diskutil cs list’ we use ‘diskutil ap list’ – APFS does not use CoreStorage (cs) and instead uses APFS containerization (ap). The ‘ap’ will also be used in Step 6. Step 7 uses mount_apfs instead of mount_hfs for obvious reasons and would be used on /dev/disk6s1 as shown in the example screenshot below.
A big thanks to Ed and a “little birdy” for sanity checks and help!
Open DMG File on Linux
DMG files use Hierarchical File System (HFS) as a disk file system format. In order for your Linux machine to open DMG files it needs to support HFS and HFS+. To enable HFS and HFS+ support on your Linux machine you will need to install HFS tools and kernel modules.
Ubuntu
Below are instructions on how to install HFS and HFS+ and mount HFS+ drive on Ubuntu.
1) Install hfsprogs which enables operation with HFS and HFS+ on Linux via ports of mkfs and fsck.
sudo apt-get install hfsprogs
2) Mount or remount the HFS+ drive
sudo mount -t hfsplus -o force,rw /dev/sdXY /media/mntpoint
or
sudo mount -t hfsplus -o remount,force,rw /mount/point
3) If the drive is partially corrupted or was unmounted with an error run:
sudo fsck.hfsplus -f /dev/sdXY
CentOS
Below are instructions on how to mount HFS or HFS+ in CentOS:
1) Install hfs kernel modules and hfs+ tools:
yum install kmod-hfs
yum install hfsplus-tools
2) Mount or remount the HFS+ drive
sudo mount -t hfsplus -o force,rw /dev/sdXY /media/mntpoint
or
sudo mount -t hfsplus -o remount,force,rw /mount/point
3) If the drive is partially corrupted or was unmounted with an error run:
sudo fsck.hfsplus -f /dev/sdXY
With HFS and HFS+ enabled you are ready to mount your DMG file.
Following DMG partitioning schemes were tested to work with instructions below:
Linux Mount Dmg
- Apple Partition Map
- CD/DVD (partitioned)
- CD/DVD (partitioned) with ISO data
- Hard disk
- Master Boot Record Partition Map
- No partition map
Below is a command to mount an image.dmg file using hfsplus file system:
Mount Dmg File Windows 10
sudo mount -t hfsplus image.dmg /mnt
Linux Mount Encrypted Drive
Here -t hfsplus tells mount command to mount with HFS+ file system. The /mnt specifies a path to where the image will be mounted.
To unmount following command is needed:
sudo mount -t hfsplus image.dmg /mnt
Sure, you could buy office, which is less. I am not joking. But not free. The cheapest plans are 70 dollars a year or a 150 dollars one time purchase, which is even more than powerpoint. Not 10, not 20, not 40, but 140 dollars. Download keynotes for mac free.