tinyapps.org / docs / Mounting partitions from full disk images

1. Mounting without a specified offset

1.1 losetup --partscan (introduced in Util-linux 2.21)

# losetup --partscan --find --show disk.img
/dev/loop0

# lsblk --fs
NAME      FSTYPE  LABEL
...
loop0
├─loop0p1 hfsplus MacData
└─loop0p2 exfat   SharedData

# mkdir /mnt/MacData

# mount /dev/loop0p1 /mnt/MacData

# ls /mnt/MacData
file1 file2 file3 etc...

# umount /mnt/MacData

# losetup --detach-all

1.2 kpartx (part of multipath-tools)

$ sudo apt-get install kpartx

$ kpartx

usage : kpartx [-a|-d|-l] [-v] wholedisk
	-a add partition devmappings
	-d del partition devmappings
	-l list partitions devmappings that would be added by -a
	-p set device name-partition number delimiter
	-g force GUID partition table (GPT)
	-v verbose

Sometimes things will be clear:

$ sudo kpartx -l winxp.img
loop0p1 : 0 3326337 /dev/loop0 63

and other times, a little less so:

$ sudo kpartx -l os9.img
loop0p1 : 0 63 /dev/loop0 1
loop0p2 : 0 54 /dev/loop0 64
loop0p3 : 0 74 /dev/loop0 118
loop0p4 : 0 54 /dev/loop0 192
loop0p5 : 0 74 /dev/loop0 246
loop0p6 : 0 200 /dev/loop0 320
loop0p7 : 0 512 /dev/loop0 520
loop0p8 : 0 512 /dev/loop0 1032
loop0p9 : 0 3330884 /dev/loop0 1544
loop0p10 : 0 10 /dev/loop0 3332428

For additional partition information, use testdisk, parted, mmls, gdisk, sfdisk, or fdisk (more on these below).

$ sudo kpartx -a -v os9.img
add map loop0p1 (252:0): 0 63 linear /dev/loop0 1
add map loop0p2 (252:1): 0 54 linear /dev/loop0 64
add map loop0p3 (252:2): 0 74 linear /dev/loop0 118
add map loop0p4 (252:3): 0 54 linear /dev/loop0 192
add map loop0p5 (252:4): 0 74 linear /dev/loop0 246
add map loop0p6 (252:5): 0 200 linear /dev/loop0 320
add map loop0p7 (252:6): 0 512 linear /dev/loop0 520
add map loop0p8 (252:7): 0 512 linear /dev/loop0 1032
add map loop0p9 (252:8): 0 3330884 linear /dev/loop0 1544
add map loop0p10 (252:9): 0 10 linear /dev/loop0 3332428

$ sudo mount /dev/mapper/loop0p9 /mnt -o ro

$ ls /mnt
Applications (Mac OS 9)  Documents                Trash
Desktop DB               Late Breaking News       VM Storage
Desktop DF               System Folder
Desktop Folder           TheVolumeSettingsFolder

$ sudo umount /mnt

$ sudo kpartx -d os9.img
loop deleted : /dev/loop0

1.3 guestfish (part of libguestfs)

"libguestfs can access almost any disk image imaginable. It can do it securely — without needing root and with multiple layers of defence against rogue disk images. It can access disk images on remote machines or on CDs/USB sticks. It can access proprietary systems like VMware and Hyper-V."

$ sudo apt install libguestfs-tools

$ guestfish -ro -a disk.img

><fs> run
...
><fs> list-filesystems
/dev/sda1: exfat
><fs> mount /dev/sda1 /
><fs> ls /
foo
bar
baz
etc
><fs> copy-out / .
><fs> q

For exFAT support at the moment (Oct 2016), create zz-exfat like so:

# echo exfat-fuse > /usr/lib/x86_64-linux-gnu/guestfs/supermin.d/zz-exfat
# echo exfat-utils >> /usr/lib/x86_64-linux-gnu/guestfs/supermin.d/zz-exfat

or patch and compile from source. Many thanks to Richard W.M. Jones for both fixes.

libguestfs also includes guestmount, which can mount disk images directly into the local filesystem.

1.4 Linux Enhanced Loopback Driver

Available from Sourceforge or NASA's FTP server. Older and more complex to setup than kpartx. The following documentation is an amalgam of Jason Luttgens's USE.txt, readme.txt, and INSTALL.txt:

The enhanced loopback driver modifies the native loopback driver of the Linux kernel and adds functionality that can make the driver emulate a disk drive in some ways. Most important to us is providing automatic interpretation and mapping of partitions contained within an image file of a hard drive.

For most people, here's what you need to do:

1) Download binary/vmlinuz-2.4.xx-xfs-enhanced_loop.x.tar.gz
2) Download binary/loop-utils-0.0.1-1.i386.rpm
3) Download createdev
./createdev start
rpm --force -ivh /path/to/loop-utils-0.0.1-1.i386.rpm
cd /
tar xvfz /path/to/vmlinuz-2.4.xx-xfs-enhanced_loop.x.tar.gz
Then go and edit your lilo.conf or grub.conf (or whatever boot utility you use) and add in another option to boot the new kernel. The name of this kernel is /boot/vmlinuz-2.4.xx-xfs-enhanced_loop. Make sure if you are booting off of a SCSI drive that you re-create and use an initrd file (unless you know the SCSI driver is built into the kernel).

The createdev script makes the new loop device names (/dev/loopa, /dev/loopb).

Install the new boot configuration and reboot! (select the new kernel)

To use the enhanced loopback driver, here's a basic example:

You have an image file, hdb.dd. It is a dd image of an entire IDE hard drive. Here's a sample session of using the enhanced loopback:
losetup -r /dev/loopa hdb.dd (-r means read-only)

sfdisk -l /dev/loopa
Disk /dev/loopa: cannot get geometry

Disk /dev/loopa: 0 cylinders, 0 heads, 0 sectors/track
Warning: The first partition looks like it was made
  for C/H/S=*/255/63 (instead of 0/0/0).
For this listing I'll assume that geometry.
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls   #blocks   Id  System
/dev/loopa1   *      0+   3824-   3825- 30720280+  83  Linux
/dev/loopa2       3824+   7476-   3652- 29331288    b  Win95 FAT32
/dev/loopa3          0       -       0         0    0  Empty
/dev/loopa4          0       -       0         0    0  Empty

mount -o ro /dev/loopa2 /mnt/evid -t vfat
At this point, /mnt/evid is mounted and can be accessed just like you normally mount and access a partition on a hard drive.

When you are finished, unmount it and remove the losetup association:
umount /mnt/evid/
losetup -d /dev/loopa
That's it!

1.5 Use a partition image

1.5.1 Create partition image from disk

If you still have the original device, you could create a partition image instead of a full disk image, since partition images do not require specifying an offset when mounting. That is:

$ sudo dd if=/dev/sdb1 of=/images/partition.img

instead of:

$ sudo dd if=/dev/sdb of=/images/full_disk.img

Mount the partition with:

$ sudo mount -ro loop /images/partition.img /mnt

or for NTFS:

$ sudo ntfs-3g -o ro -o loop /images/partition.img /mnt

To unmount:

$ sudo umount /mnt

1.5.2 Extract a partition image from a disk image

If creating a partition image is not an option, you can extract the partition from a full disk image using dd:

$ sfdisk -l -uS winxp.img

   Device Boot    Start       End   #sectors  Id  System
winxp.img1   *        63   3326399    3326337   7  HPFS/NTFS
winxp.img2             0         -          0   0  Empty
winxp.img3             0         -          0   0  Empty
winxp.img4             0         -          0   0  Empty

$ sudo dd if=winxp.img of=extracted.img skip=63 count=3326337

$ sudo ntfs-3g -o ro -o loop extracted.img /mnt

$ ls /mnt
boot.ini                ntldr          RECYCLER
Documents and Settings  pagefile.sys   System Volume Information
NTDETECT.COM            Program Files  WINDOWS

$ sudo umount /mnt

Note that if you use fdisk instead of sfdisk:

$ fdisk -lu winxp.img

    Device Boot      Start         End      Blocks   Id  System
winxp.img1   *          63     3326399     1663168+   7  HPFS/NTFS

you'll need to subtract the ending sector (3326399) from the starting sector (63) and add 1 to get the partition size in sectors (3326337).

You could also use Brian Carrier's mmls (part of The Sleuth Kit) or Christophe Grenier's testdisk to easily find the size in sectors, but you'll need to specify the partition type as well:

$ mmls winxp.img
Cannot determine partition type (Mac or DOS at 0)

$ mmls -t dos winxp.img
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000001   0000000062   0000000062   Unallocated
02:  00:00   0000000063   0003326399   0003326337   NTFS (0x07)
03:  -----   0003326400   0003332447   0000006048   Unallocated

$ testdisk winxp.img

Proceed > Intel > Advanced

Disk winxp.img - 1706 MB / 1627 MiB - CHS 827 64 63

     Partition                  Start        End    Size in sectors
 1 * HPFS - NTFS              0   1  1   824  63 63    3326337

2. Mounting with a specified offset

2.1 Finding the offset

To find the partition's offset, we simply multiply the starting offset by bytes per sector. Both can easily be found with the tools mentioned in section 1.3.2 above. Let's use mmls for this example:

$ mmls -t dos winxp.img
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000001   0000000062   0000000062   Unallocated
02:  00:00   0000000063   0003326399   0003326337   NTFS (0x07)
03:  -----   0003326400   0003332447   0000006048   Unallocated

63 * 512 = 32256

We can avoid even the need to multiply by using parted to find the offset:

$ parted winxp.img
(parted) unit
Unit?  [compact]? B
(parted) print
Model:  (file)
Disk winxp.img: 1706213376B
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number  Start   End          Size         Type     File system  Flags
 1      32256B  1703116799B  1703084544B  primary  ntfs         boot

(parted) quit

2.2 Mounting the partition

$ sudo mount -ro loop,offset=32256 -t ntfs winxp.img /mnt
$ ls /mnt
boot.ini                ntldr          RECYCLER
Documents and Settings  pagefile.sys   System Volume Information
NTDETECT.COM            Program Files  WINDOWS
$ sudo umount /mnt

Or, if you prefer:

$ sudo losetup -o 32256 /dev/loop1 winxp.img
$ sudo mount -r -t ntfs /dev/loop1 /mnt
$ ls /mnt
boot.ini                ntldr          RECYCLER
Documents and Settings  pagefile.sys   System Volume Information
NTDETECT.COM            Program Files  WINDOWS
$ sudo umount /mnt
$ sudo losetup -d /dev/loop1

3. Notes

3.1 wrong fs type, bad option, bad superblock on /dev/foo

If you receive a "wrong fs type" when attempting to mount an ext3 partition, it may be due to an unclean journal:

$ sudo mount -o loop,ro -t ext3 linux.img /mnt
mount: wrong fs type, bad option, bad superblock on /dev/loop0
...

Check with file:

$ file linux.img
linux.img: Linux rev 1.0 ext3 filesystem data (needs journal recovery)

If the image need not be kept forensically sound, you may want to repair the filesystem: fsck.ext3 linux.img

Otherwise, Hal Pomeranz has outlined several workarounds:

Mounting Images Using Alternate Superblocks: Since superceded by the techniques below, this approach involves finding and specifying an alternate superblock address to use when mounting.
Mounting Images Using Alternate Superblocks (Follow-Up): For ext3 images, specify "-t ext2" when mounting to ignore the journal.
How to Mount Dirty EXT4 File Systems: For ext4 images, mount with "noload" option to bypass journal recovery. For ext3 images, you also need to specify "-t ext4".

3.2 Mounting an HFS+ partition contained in a Core Storage volume

3.2.1 Determine size of logical sectors (generally 512 or 4096 bytes):

$ sudo fdisk -l disk.img
...
Sector size (logical/physical): 512 bytes / 512 bytes
Disklabel type: gpt
...
Device        Start       End   Sectors   Size Type
disk.img1        40    409639    409600   200M EFI System
disk.img2    409640 975503591 975093952   465G Apple Core storage
disk.img3 975503592 976773127   1269536 619.9M Apple boot

3.2.2 Determine offset and size in sectors:

$ sudo testdisk disk.img

Select Proceed > EFI GPT > Analyse > Quick Search, which will output something like this:

   Partition                  Start        End    Size in sectors
 P EFI System                    40     409639     409600 [EFI]
 P Mac HFS                   409640  974778407  974368768
 P Mac HFS                975503592  976773127    1269536

Press Q four times to quit testdisk

3.2.3 Mount and check contents:

$ sudo mount disk.img -t hfsplus -o ro,loop,offset=$((409640*512)),sizelimit=$((974368768*512)) /mnt
$ ls /mnt
Applications  cores  etc   installer.failurerequests  net      private  System  User Information  usr  Volumes
bin           dev    home  Library                    Network  sbin     tmp     Users             var
$ sudo umount /mnt

3.2.4 Notes on Core Storage mounting

For partitions on physical disks, only specify the size limit, e.g.,
$ sudo mount /dev/sdx2 -t hfsplus -o ro,sizelimit=$((974368768*512)) /mnt
I found that running fsck.hfsplus on an HFS+ partition inside of a Core Storage volume (e.g., # losetup -o $((409640*512)) /dev/loop0 disk.img && fsck.hfsplus /dev/loop0 for an image or # fsck.hfsplus -f /dev/sdx2 for a disk) allowed the partition to be mounted normally in the file manager. However, although the disk booted normally afterwards, this method does involve minor repair to the volume header, so best to use the process outlined in 3.2.1-3 instead.
If you cannot mount the image or disk, try HFS+ Rescue, "a program to recover files from a HFS+ formatted partition. You can restore your files and directories even when it's not possible to mount it with your operating system. As side effect, the program also restores deleted files."
To mount a FileVault Drive Encrypted (FVDE) volume you can use fvdemount
Attempting to normally mount an HFS+ partition wrapped in a Core Storage container will return errors like these:
- wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error
- hfsplus: unable to find HFS+ superblock
- hfsplus: invalid secondary volume header

3.3 HFS vs HFS+

Mounting a Mac OS 9 partition I thought to be HFS:

$ sudo mount -t hfs -o ro,loop,offset=790528 os9.img /mnt

produced an unexpected result:

$ ls /mnt
Desktop DB  Desktop DF  Finder  System  Where_have_all_my_files_gone?

The Where_have_all_my_files_gone? text file is actually quite helpful. It begins:

Why can't you see your files? This hard disk is formatted with the Mac OS Extended format. Your files and information are still on the hard disk, but you cannot access them with the version of system software you are using ...

Nice to see the filesystem degrade so gracefully. Just need to mount as HFS+:

$ sudo mount -t hfsplus -o ro,loop,offset=790528 os9.img /mnt

$ ls /mnt
Applications (Mac OS 9)  Documents                Trash
Desktop DB               Late Breaking News       VM Storage
Desktop DF               System Folder
Desktop Folder           TheVolumeSettingsFolder

3.4 Windows-based image mounting apps (untested)

4. Sources and More

Andre Miller's Mounting a hard disk image including partitions using Linux
Brian Carrier's Splitting The Disk and Splitting The Disk With mmls
Forensics Wiki's Mounting Disk Images
Gavin Burris's Mount Disk Image Partition with Loop Device
Jason Boxman's Mounting disk images on Linux loopback device
Marc Haisenko's Creating and using disk images mini-howto
Martin Krafft's Loop-mounting partitions from a disk image
Mirko Caserta's How to extract a filesystem from a disk image
Robert Penz's Kpartx: a tool for mounting partitions within an image file
Rich's comment on Mounting a disk image containing several partitions
OpenStack Virtual Machine Image Guide
Joni's updated answer to Mount single partition from image of entire disk (device)
Stewart Adam's answer to Mounting HFS+ partition on Arch Linux
hfsplus partition will not mount
Can't mount HFS+ partition
Can't mount HFS+ drive, bad superblock?
Running fsck on filesystems inside a partitioned image

last update: 2017.03.06