Have you ever needed to check the contents of an image file? Maybe you forgot which version of that Linux distribution that was. There can be many reasons for double-checking an image, but how do you do that without burning it? Let’s find out, no extra software required.
Every tech savvy Linux user should be familiar with the mount command. It’s a very important part of general system administration. But, many don’t know that the mount command is actually much more powerful than apparent at first glance.
Mounting Image files in Linux
We can quickly and easily mount, not just ISO images, but even images of disks with partitions.
Quickly, here is an example of mounting an ISO file.
Here the -o flag is for passing mount options, and in this case, we’re telling mount that we want to mount the image using a loopback device. A loopback device is a really nice concept developed for assisting in mounting image files. A loopback device is software pseudo-device that acts as a middleman and allows the system to treat the file as though it were a block device such as a CDROM drive, hard drive, etc. In doing so, we have much more flexibility when dealing with the file such as performing filesystem functions (which assume there is an underlying block device).
That’s pretty cool, but who even uses ISOs anymore, right? Well, mount can do quite a bit more, too. If you have an image file of a hard drive (as obtained from dd or something similar), let’s call it hdd.img, then you can actually mount the filesystems within it as well. And if you’re suspecting that we need to use a loopback device again, you’re on the right track.
But if you try this…
you’re not going to have much luck.
That’s because most disks have partition tables. CDs and DVDs don’t typically have partitions tables because it doesn’t suit their use-cases. When mount starts to mount a volume, it expects to encounter a filesystem, not a partition table.
That doesn’t mean that it can’t be done, though. In order to mount the filesystem, we have to tell mount where it is within the image file with a piece of information passed into the mount options. The piece of information that mount requires is the offset of the partition, that is, the number of bytes into the image file where the partition starts. There are various ways of figuring that out, but fdisk does the work for you.
Suppose, fdisk tells us that the starting sector is 100 (this is purely an example, it is highly improbable that this is correct in your specific case). What we have to do now is take that sector number and multiply it by the sector size of the HDD that the image was taken from, this will (most likely) be 512 bytes on older drives and possibly 4096 (4K) on newer ones, but you should always check this when cloning drives (maybe put it into the file name for good measure). The sector size is the number of bytes per sector.
We’ll go with a sector size of 512 bytes for simplicity, and that would give us an offset of 51,200. This offset is the number of bytes into the image where the filesystem starts. Knowing this, we can tell mount exactly where to find the filesystem.
NOTE: I’ve added the ro option into this example as well to show how you can mount a filesystem as read-only. This is especially useful in forensic applications where you cannot disturb the data integrity for security, or even legal, concerns. Often, an image file will be created from the disk using a special adapter called a write-blocker that literally blocks all write commands and only allows for read commands.
That’s quite a lot of work with the math and all, but there must be an easier way, right? That depends on how recent of a Linux distribution you’re using, but anything from the last five years or so shouldn’t have any problems.
The tool losetup is for setting up loopback devices. You might wonder why you want to set up a loopback device manually when mount takes care of all that for you. Remember how mount didn’t want to mount the whole disk image because of that annoying partition table? Well, given that the partition table is what contains all the math about where partitions are located (where fdisk gets all it’s information), it’d be a lot easier to let the system reference it instead. We can simply create a loopback device for the whole disk image and then tell the system to scan for partitions on the newly created loopback device.
NOTE: The -f flag passed to losetup is simply telling it to create a loopback device with a name not yet used, such as /dev/loop1 if /dev/loop0 is already in use. Alternatively, you can pass a device name such as /dev/loop0, if that device does not exist, losetup will create it, if it does, it will reassign it to the newly appointed image file.
If the command is successful, you will see the newly created loopback device under /dev/. Now, you can use
if you have partprobe or kpartx installed, respectively. Though, parted should be installed on most modern Linux distributions.
Once this is done, you should see something like /dev/loop0p1 in /dev/. This is your partition, which you can then easily mount.
As you’ll probably notice, no loopback required. That’s because we’ve already taken care of that.
We can make this even easier, though, by adding a single flag to losetup.
The -P flag we used actually tells losetup to have the kernel scan the partition table, so we can skip along to mounting the partition we want.
Using the above, you can mount a variety of disk images. It doesn’t matter if they’re from optical media, USB keys, MBR partitioning or GPT. The Linux kernel can handle so many different partition tables and filesystems, you’ll have a harder time finding something that it doesn’t support.
Sure, there might be tools that make this much easier, but where’s the fun in that? I’ve used these techniques in data recovery and general system administration and like any type of knowledge, it is extremely valuable when needed.
Let us know in the comments below if you have any tricks that would complement these ones.