May 25th, 2010 by ahoogWe do Mac forensics…a lot of folks don’t. But I’m still a Linux geek at heart. Here’s how you mount an HFS+ partition on Linux. While you can apply this to an attached disk, this example mounts a partition/slice from a dd image (more precisely, a dc3dd image) taken from a Mac.
Acquire Apple disk image
If you don’t know how to do this, check out Ryan Kubasiak’s excellent AppleExaminer.com site, the Apple Acquisition Howto in particular (or just buy the book he co-authored). This also works on images taken from iPhones, iPods, iPads…well, all those iProducts.
Determine Partition/Offset
Next, you have to determine the offset of the slice/partition you want to mount. To do so, use Brian Carrier’s excellent tool The Sleuth Kit (TSK), specifically the mmls tool. Here’s the command:
ahoog@wintermute:~$ mmls item001.dc3dd
and output:
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Safety Table
01: ----- 0000000000 0000000039 0000000040 Unallocated
02: Meta 0000000001 0000000001 0000000001 GPT Header
03: Meta 0000000002 0000000033 0000000032 Partition Table
04: 00 0000000040 0000409639 0000409600 EFI system partition
05: 01 0000409640 0488134983 0487725344 Customer
06: ----- 0488134984 0488397167 0000262184 Unallocated
We want to mount the Customer partition. Since the drive used 512-byte sectors, we take 409640*512 to get offset 209735680.
Mount partition/slice
You are now ready to go. If you don’t have a place to mount the partition, make mount point director:
mkdir ~/mnt/hfs/
Then mount the dc3dd image with:
ahoog@wintermute:~$ sudo mount -t hfsplus -o ro,loop,offset=209735680 item001.dc3dd ~/mnt/hfs/
And that’s it! You can cd into ~/mnt/hfs and view the files. To umount, you would use:
ahoog@wintermute:~$ sudo umount ~/mnt/hfs
Hope this helps.
You, sir, are a legend. Thanks for this.