xmount

Mount a .raw image file into a DMG container file

$ xmount --in [raw] [path/to/image.dd] --out [dmg] [mountpoint]

$ xmount --cache [path/to/cache.ovl] --in [ewf] [path/to/image.E??] --out [vhd] [mountpoint]

$ xmount --offset [2048] --in [raw] [path/to/image.dd] --out [raw] [mountpoint]

xmount [options]
xmount --unmount

    Path to the input disk image file(s). For segmented images, specify the first segment.


    Directory where the virtual filesystem will be mounted.

-d, --debug
    Enables verbose debugging output for troubleshooting.

-s, --single_image
    Mounts the source as a single virtual disk image, typically /xmount within the mount point.

-o , --options
    Passes specific FUSE options, e.g., ro (read-only, default), allow_other.

-r, --read_only
    Ensures the mounted image is read-only (this is the default behavior).

--offset
    Starts reading data from the specified byte offset in the source image.

--size
    Limits the size of the virtual device to be created from the source image.

--cache
    Specifies caching type: none, memory, or file. File caching requires --cache_path.

--cache_path
    Sets the directory for file-based caching.

--disk
    Defines how the virtual disk is presented: raw (entire disk) or logical (partitions accessible as files).

--eformat
    Explicitly sets the expected input image format (e.g., ewf, raw, vmdk). Auto-detection is usually sufficient.

--unmount
    Unmounts an already mounted xmount filesystem from the specified mount point.

--unmount_on_exit
    Automatically unmounts the filesystem when xmount exits gracefully.

xmount is a command-line utility that enables on-the-fly conversion and mounting of different types of disk image files into a virtual filesystem. Utilizing FUSE (Filesystem in Userspace), it allows users to access content within forensic images (like EWF, AFF, RAW) or virtual machine disk files (VMDK, VHD) without modifying the original image. This is particularly valuable in digital forensics and incident response, providing read-only access to disk images for analysis, carving, or data extraction. It can present the entire disk or specific partitions as virtual block devices, making them accessible to other forensic tools.

xmount requires FUSE to be installed and loaded on the system.
The default behavior is read-only. While there are options for write mode, they create separate files for changes, preserving the original image integrity. Using them can be complex.
Performance can be affected by the source image size, format, and chosen caching method.
Always ensure proper unmounting (fusermount -u or xmount --unmount) to prevent resource leaks or corrupted mount points.
Large images and extensive operations may require significant RAM or disk space for caching.

xmount is a cornerstone in digital forensics toolkits. It allows analysts to examine disk images without altering them, adhering to the principle of integrity. By mounting an image as a virtual block device or a set of files, other forensic tools (like foremost, sleuthkit, autopsy) can directly operate on the 'mounted' data, simulating access to a live disk.

As a FUSE-based application, xmount operates in user space, which enhances security and simplifies deployment compared to kernel modules. It translates file system operations from the kernel into requests that are handled by the xmount process, which then interprets and serves data from the underlying disk image.

Developed by Joachim Metz, xmount originated as a versatile tool primarily for digital forensics investigators. It extended capabilities beyond specific image format mounters (like ewfmount or affuse) by supporting multiple proprietary and open formats, including EnCase EWF, AFF, RAW, VMDK, and VHD. Its reliance on the FUSE framework made it portable and user-friendly, allowing non-root users to mount disk images, which was a significant advancement for forensic analysis workflows.

mount(8), fusermount(1), ewfmount(1), affuse(1), vmfs-fuse(1)