Command-line usage

One of the core functionalities of imagemounter is the command-line utility imount that eases the mounting and unmounting of different types of disks and volumes. In its most basic form, the utility accepts a positional argument pointing to a disk image, disk or volume, e.g.:

imount disk.E01

Multiple files can be passed to this command, allowing the mounting of volume systems that span multiple disks, which can be useful for those wishing to reconstruct a system that entailed multiple disks or for reconstructing RAID arrays.

By default, imount will mount each single volume in /tmp and wait until you confirm an unmount operation. Common usage is therefore to keep imount running in a separate window and perform other operations in a second window.

Arguments

The imount utility requires one (or more) positional arguments and offers the ability to pass several optional arguments.

<image> [<image> ...]

The positional argument(s) should provide the path(s) to the disk images you want to mount. Many different formats are supported, including the EnCase evidence format, split dd files, mounted hard drives, etc. In the case of split files, you can refer to the folder containing these files.

If you specify more than one file, all files are considered to be part of the same originating system, which is relevant for the --reconstruct command-line option.

Arguments that immediately exit

Some useful facilities.

--help
-h

Shows a help message and exits.

--version

Shows the current version and exits.

--check

Shows which third-party utilities you have installed for a correct functioning of imagemounter.

--unmount
-u

Option that will try to identify leftover files from previous imount executions and try to delete these. This will, for instance, clean leftover /tmp/im_... mounts and mountpoints. This command will allow you to review the actions that will be taken before they are done.

Can be combined with --casename, --mountdir and --pretty to specify which mount points to delete.

CLI behaviour

The next four command-line options alter the behaviour of the imount utility, but does not affect the behaviour of the underlying imagemounter module.

--wait
-w

Pauses the execution of the program on all warnings.

--keep
-k

Skips the unmounting at the end of the program.

--no-interaction

Never ask for input from the user, implies --keep.

--verbose
-v

Show verbose output. Repeat for more verbosity (up to 4).

--color
--no-color

Force toggle colorizing the output. Verbose message will be colored blue, for instance. Requires the termcolor package.

Additional features

This command-line option enables an additional and useful feature.

--reconstruct
-r

Attempts to reconstruct the full filesystem tree by identifying the last mountpoint of each identified volume and bindmounting this in the previous root directory. For instance, if volumes have previously been mounted at / , /var and /home ; /var and /home will be bind-mounted in / , providing you with a single filesystem tree in the mount location of / that is easily traversible.

This only works with Linux-based filesystems and only if / can be identified.

Implies --stats.

--carve

Carves the filesystem for missing files.

Mount behaviour

These arguments alter some pieces of the mount behaviour of imagemounter, mostly to ease your work.

--mountdir <directory>
-md <directory>

Specifies the directory to place volume mounts. Defaults to a temporary directory.

--pretty
-p

Uses pretty names for volume mount points. This is useful in combination with --mountdir, but you should be careful using this option. It does not provide a fallback when the mount point is not available or other issues arise. It can also not be cleaned with --clean.

--casename
-cn

Use to specify the case name, which is used in pretty mounts, but also for the location of the mountdir. Useful if you want to be able to identify the mountpoints later.

--read-write
-rw

Will use read-write mounts. Written data will be stored using a local write cache.

Implies --method xmount.

Advanced options

While imagemounter will try to automatically detect as much as possible, there are some cases where you may wish to override the automatically detected options. You can specify which detection methods should be used and override the volume system and file system types if needed.

--method <method>
-m <method>

Specifies the method to use to mount the base image(s). Defaults to automatic detection, though different methods deliver different results. Available options are xmount, affuse and ewfmount (defaulting to auto).

If you provide dummy, the base is not mounted but used directly.

--detection <method>
-d <method>

Specifies the volume detection method. Available options are pytsk3, mmls, parted and auto, which is the default. Though pytsk3 and mmls should in principle deliver identical results, pytsk3 can be considered more reliable as this uses the C API of The Sleuth Kit (TSK). However, it also requires pytsk3 to be installed, which is not possible with Py3K.

--vstype <type>

Specifies the type of the volume system, defaulting to detect. However, detection may not always succeed and valid options are dos, bsd, sun, mac, gpt and dbfiller, though the exact available options depend on the detection method and installed modules on the operating system.

--fsfallback <type>

Specifies a fallback option for the filesystem of a volume if automatic detection fails. Available options include ext, ufs, ntfs, luks, lvm and unknown, with the latter simply mounting the volume without specifying type. See the command-line help for all available volume types.

--fsforce

Forces the use of the filesystem type specified with --fsfallback for all volumes. In other words, disables the automatic filesystem detection.

--fstypes <types>

Allows the specification of filesystem type for each volume separately. You can use subvolumes, examples including:

1=ntfs
2=luks,2.0=lvm,2.0.1=ext

Advanced toggles

imount has some facilities that automatically detect some types of disks and volumes. However, these facilities may sometimes fail and can be disabled if needed.

--stats
--no-stats

With stats rerieval is enabled, additional volume information is obtained from the fsstat command. This could possibly slow down mounting and may cause random issues such as partitions being unreadable. However, this additional information will probably include some useful information related to the volume system and is required for commands such as --reconstruct.

Stats retrieval is enabled by default, but --stats can be used to override --no-stats.

--raid
--no-raid

By default, a detection is ran to detect whether the volume is part of a (former) RAID array. You can disable the RAID check with --no-raid. If you provide both --raid and --no-raid, raid wins.

--single
--no-single

imount will, by default, try to detect whether the disk that is being mounted, contains an entire volume system, or only a single volume. If you know your volumes are not single volumes, or you know they are, use --no-single and --single respectively.

Where --single forces the mounting of the disk as a single volume, --no-single will prevent the identification of the disk as a single volume if no volume system is found.

--disktype
--no-disktype

Forcibly enable or disable the use of disktype for additional disk information.