How to mount a .dmg file (Mac Disk Image) in Linux

Doing Mac/iPhone forensics, you will eventually need to examine the contents of a disk image which Apple stores in a .dmg file. Here’s some information on the files and how you can mount them.

.dmg file information

The two types of .dmg files I have come across are a uncompressed file and a compressed one. The file command for both are as follows:

Uncompressed:

ahoog@wintermute:~$ file stage1-decrypted.dmg
stage1-decrypted.dmg: Macintosh HFS Extended version 4 data last mounted by: ’10.0′, created: Fri Aug 29 00:33:37 2008, last modified: Fri Jan 2 11:07:50 2009, last checked: Fri Aug 29 02:33:37 2008, block size: 4096, number of blocks: 6400, free blocks: 218

Compressed:

ahoog@wintermute:~$ file stage2-decrypted.dmg
stage2-decrypted.dmg: VAX COFF executable not stripped – version 376

Mounting the .dmg disk image in Linux

To mount the uncompressed image in Linux, type the following:

mount -t hfsplus -o loop stage1-decrypted.dmg /mnt/dmg

Using the loop device, you can mount the file and then modify it as needed (or mount read-only) and then umount (all changes are preserved if in read/write mode).

Mounting the compressed .dmg disk image required an additional step. I came across a utility called dmg2img which uncompressed the image. So you now use the following commands to mount the image:

dmg2img -i stage2-decrypted.dmg -o stage2-decrypted-uncompressed.img
mount -t hfsplus -o loop stage2-decrypted-uncompressed.dmg /mnt/dmg

Other operating systems

It’s worthwhile to note that in Apple’s OS X, you can simply double-click the .dmg file and it will mount. However, this is not forensically sound and you should not do this on images that require read-only.  For read-only and other options,  you can use the hdid or hdiutil commands. In Windows, apparently you can use a program called MacDrive (in Target Disk mode) however I have not verified this.