Recently there has been some questions on the forums and Twitter as to how to mount forensic disk images that were captured from Mac system that implemented 4k block sizes. A few years ago, Mac systems started to use 4k blocks instead of 512 byte block sizes. This has caused some issues where you need to mount the image to do analysis without a major forensic suite. BlackBag wrote a good blog article on this last month however I hope to expand on it just a bit to include E01 files and FileVault encryption scenarios.

I will also detail how to mount the forensic disk images using newer APFS file system so analysts can start to do their thing while all the forensic tools catch up! APFS disk images already appear to use 4k block sizes as the default, at least on all my test systems. If you see otherwise, please let me know!

Move the mouse up to the Disk Utility menu next to the Apple icon, choose the 'File' and from the down options, you will see the 'Open Disk Image.' Click on it and select the ISO files you want for free ISO mount Mac. How to mount Mac APFS images in Windows APFS is the new file system for Mac OS, and so far, many forensic suites are playing catch up as far as support goes. As such, workarounds may need to be employed in order to conduct analysis on Mac OS APFS images.

This article will try to provide some options to mount these images, however it cannot solve all the issues or combinations of disks/block sizes/host operating systems – it seems that you will have to upgrade to 10.13 at some point to solve many of these problems.

The following steps will bring you from a full HFS+ FileVault 4k disk image in EWF format to a mounted image using macOS 10.13. (If you have a raw (non-EWF) image, you can bypass steps 1 and 3.)

1. $ sudo mkdir /Volumes/4k_image/

2. $ sudo mkdir /Volumes/4k_mounted/

3. $ sudo xmount --in ewf --out dmg 4k.E01 /Volumes/4k_image/

4. $ hdiutil attach –nomount –blocksize 4096 /Volumes/4k_image/4k.dmg

5. [Input Password in Prompt Window]

6. $ diskutil cs list

7. $ sudo mount_hfs –o rdonly,noexec,noowners /dev/disk# /Volumes/4k_mounted/

1. Create a mount point to put the xmount converted DMG image (converted from EWF format). [sudo is required when dealing with /Volumes/ since 10.12]

2. Create another mount point to put the mounted image on. This will act as the root volume for the mounted image.

3. Using xmount (sudo required) to convert from EWF (--in) to DMG (--out) format. DMG is selected here since it is very Mac friendly. Provide the E01 image (use E?? if using segments) and the converted image mount point created in Step 1. This could take a few seconds if the disk image is large. Theoretically you can use another mounting utility, I've tried ewfmount on 10.13 and ran into errors that I'm still investigating. Having trouble installing Xmount? Does it say OS X Fuse is not installed? Look in the comments section for a fix.

4. Using hdiutil, attach (but don’t yet mount) the DMG file created in Step 3. Using the hidden argument –blocksize we can specify 4096 (‘4k’ can also be used here). It is worth noting here that while hidden in 10.13 this option does not appear to exist in 10.12 versions of this utility. It is also is not detailed in the hdiutil man page. Gotta love hidden functionality! This will output a bunch of /dev/disk* options, however none of these are the ones you need thanks to CoreStorage.

5. If the image is FileVault encrypted a password window will appear, please put the password for the disk in here so it can be unlocked.

• If you want to do this all via the command line (you rock!) you can pass –stdinpass to the hdiutil command in Step 4 where it will prompt you for the password.
• You will then need to use ‘diskutil cs unlockVolume <LogicalVolumeGUID> ‘ after determining the Logical Volume GUID to use by using ‘diskutil cs list’. (Similar to Step 6) Note the Lock Status highlighted in the screenshots below.

6. Next use ‘diskutil cs list’ to determine which disk to using in Step 7. Determine which volume you will be performing analysis on, in the screenshot above it is /dev/disk6.

7. Using mount_hfs (with sudo again) we can mount /dev/disk6 (the ‘#’ is just a variable used above, yours may be a different number) using a variety of options (you can choose your own, however I normally use read only, ignore ownership, and limit binary execution options. Also provide it the second mount point you created in Step 2.

If it all works out, congrats you now have a mounted image!

A similar approach can be used for new APFS disk images. Anyone who has tried to capture their disk images in 10.13 might have had a problem doing so due to System Integrity Protection (SIP). SIP is now protecting /dev and will likely make forensic acquisition and analysis more difficult if you happen to interact with /dev often. Easy fix – disable SIP. While not technically good for security purposes, it can be a general pain in the posterior to have on. To disable it, reboot into Recovery mode, open the Terminal and type ‘csrutil disable’ and restart the system. Yes, you can re-enable it later with ‘csrutil enable’.

1. $ sudo mkdir /Volumes/apfs_image/
2. $ sudo mkdir /Volumes/apfs_mounted/
3. $ sudo xmount --in ewf --out dmg apfs.E01 /Volumes/apfs_image/
4. $ hdiutil attach –nomount /Volumes/apfs_image/apfs.dmg
5. $ diskutil ap list
6. $ diskutil ap unlockVolume <Disk GUID> –nomount
7. $ sudo mount_apfs –o rdonly,noexec,noowners /dev/disk# /Volumes/apfs_mounted/

Because it is so similar to the process above, my description of each step here will be limited. In Step 4 we do not need to use –blocksize as it just happens to work without it. In Step 5, instead of ‘diskutil cs list’ we use ‘diskutil ap list’ – APFS does not use CoreStorage (cs) and instead uses APFS containerization (ap). The ‘ap’ will also be used in Step 6. Step 7 uses mount_apfs instead of mount_hfs for obvious reasons and would be used on /dev/disk6s1 as shown in the example screenshot below.

A big thanks to Ed and a “little birdy” for sanity checks and help!

A .DMG file is a container file commonly used to distribute applications for Mac OS X. Installing software from one of these requires you to mount the image and move its contents to your computer’s “Applications” directory.

One of the most common mistakes I see among new Mac users is fumbling with how to install and open .dmg files or new software. The process for installing new applications on your Mac can be confusing at first because it differs greatly from Windows’ software installation process. Nevertheless, the Mac method of installing software is actually quite simple and intuitive once you are accustomed to it. If your desktop is littered with DMG files and white “drive”-looking icons, read on!

Contents

What are .DMG Files?

DMG stands for Disk Image, and is a format commonly used to distribute files and applications among Apple computers. A DMG file is like a virtual DVD or hard drive. They can be “mounted” on your Mac in order to work with their contents, or even burned to an actual physical disc.

In order to understand the concept of a DMG disk image, think of a storage volume such as a CD, DVD, hard drive, or external drive. A DMG file is like one of these devices in that it serves as a means to encapsulate documents, images, software, and other files. The difference is that with a DMG, there is no physical storage medium. There is only the DMG file, which can be written to a hard drive, burned to a CD or DVD, or sent over the Internet.

In order to work with the contents of a DMG file, you must mount the the disk image to your system. This may sound daunting, however “mounting” a DMG file with Mac OS X is no more complicated than double-clicking it’ icon. The operating system will load the load image and place a new icon both on your desktop, and in the sidebar of the Finder. The icon will have the same name as the DMG, and you’ll be able to browse through its contents like any other folder.

Once you are done working with the contents of the file, you will want to remove or “unmount” it from your system. Do this by opening the Finder and clicking the eject icon next to the virtual drive’s icon. Or, go to the Desktop, click once on the icon, and press CMD+E.

Also Useful:Best Gaming Laptops Under $2000

How to Install and Open .dmg Files on a Mac

Software installation with Mac OS X is very different than in the Windows world. On a Windows PC you run an installer, tick off a few checkboxes, and wait for the progress meter to reach completion. There usually is no such “installation wizard” on a Mac &emdash; you simply drag and drop the program into your computer’s “Applications” directory. The trick is that most Mac applications are distributed as images called DMG files, and many new Mac users end up running applications directly from the image instead of installing them to the “Applications” directory.

Enough explanation, here’s how to install an OS X app from a DMG file:

1. Find the downloaded file, which usually ends up in your Desktop or Downloads folder.
2. Double-click the .DMG file to mount it. A new Finder window showing its contents should appear.
3. If the window also contains a shortcut icon to “Applications”, drag and drop the app onto the shortcut.
4. If not, double-click the mounted volume on your desktop and drag the app icon from there to the “Applications” icon in the Finder sidebar.

Further Explanation

Alright, that was the abridged version. Here’s the long version. I’ve just downloaded the DeskLickr application, and the DeskLickr_1.2.dmg is sitting on my desktop. I double-click it and a new icon labeled “DeskLickr 1.2” appears on my desktop. Here’s what my desktop looks like at this point:

Since most of the time a new Finder window also pops up when the image is ready for use, this one is now sitting on my desktop:

How To Download And Mount Image Mac 10

Different applications are going to show you slightly different Finder windows. Each application’s designers like to add their own artwork. Glitter aside, most applications are trying to tell you the same thing. See the arrow pointing from the DeskLickr icon to the “Applications’ shortcut? It’s telling you to drag and drop the icon into that folder. Once you’ve done so, the app will be installed.

If a program doesn’t provide a shortcut to the Applications folder, you’ll need to pop open a new Finder window. Press CMD+N to open a new window, then drag the program over to “Applications” in the left-hand side of the window.

Also useful: How to CTRL + ALT + DEL on a Mac

House Cleaning

Once the new program is installed it’s time to do some house cleaning. You no longer need the disk image you downloaded, so follow these steps:

1. Close any Finder windows that have been left open.
2. Eject the disk image (not the .DMG file). Click on its desktop icon, then press CMD+E.
3. Delete the .DMG file by dragging it to the trash.

That’s it! Your new Mac application is ready to use. But wait…

Bonus Tip: Add Your New Application to the Dock

How To Download And Mount Image Mac Pro

I knew you were going to ask, so I figured I would cut you off at the pass. In order to add the new application to the dock, follow these steps:

1. Open up a new Finder window.
2. Click on “Applications”.
3. Locate your new program’s icon.
4. Drag the icon to your Dock, and drop it wherever you like.

How To Download And Mount Image Mac Torrent

Also Check:Cool Fortnite Names of 2020