Utility to mount partitions in Encase, AFF and dd images locally on Linux operating systems.
imagemounter is a command-line utility and Python package to ease the mounting and unmounting of EnCase, Affuse and dd disk images. It supports mounting disk images using xmount (with optional RW cache), affuse and ewfmount; detecting DOS, BSD, Sun, Mac and GPT volume systems; mounting Ext, UFS, and NTFS volumes; detecting (nested) LVM volume systems and mounting its subvolumes; and reconstructing RAID arrays.
In its default mode, imagemounter will try to start mounting the base image on a temporary mount point, detect the volume system and then mount each volume seperately. If it fails finding a volume system, it will try to mount the entire image as a whole if it succeeds detecting what it actually is.
This package currently only supports Python 2.6 and 2.7. Although this module in fact should be ready for Python 3.2+, it depends on pytsk3, which currently does not support Python 3.
Just perform the following commands for a full install, including all optional dependencies (but see the note about Ubuntu 13.10 below):
apt-get install python-setuptools python-dev libtsk-dev xmount ewf-tools afflib-tools sleuthkit lvm2 mdadm pip install imagemounter
### Python packages This package depends on two other packages.
- The _termcolor_ package is available from PyPI and is easily installed using tools such as
- The _pytsk3_ package requires some additional packages to be installed:
libtsk-dev. For compilation, the
build-essentialpackage from your distribution is also required. After that, you can easily install the
pytsk3package from PyPI (pip requires the –pre flag to allow installing the package).
### Other dependencies This package highly depends on other utilities to be present on your system. For a full installation, you require the following tools:
- Mount tools
ewfmount, part of ewf-tools package, see note below -
affuse, part of afflib-tools package
- Statistics, e.g. last mountpoint of volumes
fsstat, part of sleuthkit package
- LVM arrays
lvmet al, all part of lvm2 package
- RAID volumes
#### ewfmount on Ubuntu 13.10 Due to a bug with ewf-tools in Ubuntu <=13.10, it may be that ewfmount is not properly provided. This bug will be resolved in Ubuntu 14.04. If you are using Ubuntu 13.10, you can install ewf-tools with ewfmount as follows:
- Download a recent build of ewf-tools from https://launchpad.net/ubuntu/+source/libewf/20130416-2ubuntu1 (choose your arch under ‘Builds’ and download all deb files under ‘Built files’)
sudo apt-get install libbfio1
sudo dpkg -i ewf-tools_* libewf2_*
Commands and execution order
imagemounter utilizes many command line utilities to perform its actions. It does not actually do a lot by itself, although it manages currently mounted sytems and provides the correct unmounting order. To gather a general idea of what the tool does, the following is a non-exhaustive list of the commands used in what order in the default mode.
ewfmountto mount the image
mdadmto detect whether this image is part of a RAID array, and if so: -
losetupto mount the image to a loopback device -
mdadmto add the image to the RAID array
- Python equivalent of
mmlsto detect volumes (if none found, the image is mounted as one volume)
fsstatto gather additional information about the volume
mountto actually mount the volumes, or, in the case of a LVM: -
losetupto mount the volume to a loopback device -
lvm pvscanto scan for LVM systems -
vgchangeto activate the LVM system -
lvdisplayto detect volumes (and again perform
The same is performed in reverse (ish) order to unmount the image.
In its most basic form, the installed command line utility (
imount) accepts a positional argument pointing to
the disk image, e.g.:
You can pass multiple disks to the same command. This allows the command to mount across multiple disks, which is useful when you wish to reconstruct volumes split across multiple disks, or for reconstructing a RAID array.
imount will by default mount each volume in /tmp/ and ask you whether you want to keep it mounted, or want to unmount
this. After the entire image has been processed, all volumes must be unmounted. You can change the default mount point
--mountdir. You can prettify the automatically generated name with
You can use
--keep to not unmount the volume after the program stops. However, you are recommended to not use this in
--clean can not detect volumes with non-default naming.
If you wish to reconstruct an image with UFS/Ext volumes with known former mountpoints, you can reconstruct the image
with its former mountpoints using
--reconstruct. For instance, if you have partitions previously mounted at /, /var
and /home, /var and /home will be bind-mounted in /, providing you with a single filesystem tree.
By default, information about volumes is provided by
fsstat. This may, however,
sometimes cause issues. You can disable this additional information gathering with
You can disable the RAID check with
--no-raid. If you know your volumes are not single volumes, or you know they are,
imount --help to discover more options.
The Python package consists of three main parts:
- The ImageParser, maintaining a list of Disks, providing several methods that are carried out on all disks (e.g. mount) and reconstruct.
- The Disk, which represents a single disk iamge and can be mounted, added to RAID, and detect and maintain volumes. It is also responsible for maintaining the write cache.
- The Volume, which can detect its own type and fill its stats, can be mounted, and detect LVM (sub)volumes.
All three classes maintain an init() method that yields the volumes below it. You should call clean on the parser if you are done; you may also unmount separate volumes or disks, which will also unmount all volumes below it. Warning: unmounting one of the RAID volumes in a RAID array, causes the entire array to be unmounted.
The constructor of ImageParser allows most of the command-line arguments to be passed (note that e.g. –no-raid is passed as raid=False, and that arguments such as –color are not known), with the notable exception of –single and –no-single, which distinguishes between disk.mount_* methods.
>>> import imagemounter >>> parser = imagemounter.ImageParser(["disk.E01"]) # similar arguments as imount are possible >>> for volume in parser.init(): ... print volume.label, bool(volume.mountpoint) ... volume.unmount() ... None False None False None False / True /var True >>> parser.clean() True
imount utilizes the same API, so you should be able to figure it out yourself.