Forensicsforensicsdisk-imagemountingfuseewfaffvdiqcowvirtualization

xmount

xmount is a tool for crossmounting between disk image formats, converting on-the-fly between multiple input and output harddisk image formats using FUSE. It creates a virtual file system representing the input image in formats like raw DD, DMG, VDI, VHD, or VMDK.

Description

xmount allows forensic analysts and investigators to mount disk images in various formats without altering the originals, enabling read and virtual write access redirected to a cache file. This is particularly useful for examining acquired harddisk images from investigations, supporting input formats such as raw DD, EWF, AFF, VDI, and QCOW.

Use cases include booting forensic images in virtual machines like QEMU, KVM, VirtualBox, or VMware for analysis. It supports morphing data from multiple input images into one output using specified functions, facilitating complex forensic workflows.

The tool integrates FUSE for userspace filesystem operations, providing a virtual representation accessible as a mount point. Virtual write support ensures non-destructive modifications, essential for maintaining evidence integrity.

How It Works

xmount leverages FUSE to create a virtual filesystem that represents the input disk image in chosen output formats like raw DD, DMG, VDI, VHD, or VMDK. Input images (raw DD, EWF, AFF, VDI, QCOW) are processed on-the-fly, with data morphed from multiple sources if specified. Virtual writes are redirected to a cache file, preventing changes to originals. Libraries like libxmount_input_vdi.so and libxmount_input_aewf.so handle format-specific operations with tunable options for caching, threading, and logging.

Installation

bash

sudo apt install xmount

Flags

-dEnable FUSE's and xmount's debug mode.

-hDisplay this help message.

-sRun single threaded.

-o no_allow_otherDisable automatic addition of FUSE's allow_other option.

-o <fopts>Specify fuse mount options. Will also disable automatic addition of FUSE's allow_other option!

--cache <cfile>Enable virtual write support. <cfile> specifies the cache file to use.

--in <itype> <ifile>Input image format and source file(s). May be specified multiple times. <itype> can be "raw", "dd", "vdi", "qcow", "qcow2", "qemu", "ewf", "aff", "aff3", "aewf", "aaff".

--inopts <iopts>Specify input library specific options. <iopts> specifies a comma separated list of key=value options.

Examples

Display the help message and usage information for xmount.

xmount -h

Mount a raw DD input image to the specified mount point.

xmount --in raw image.dd /mnt/point

Mount an EWF input image to the specified mount point.

xmount --in ewf evidence.E01 /mnt/point

Mount a VDI input image with virtual write support using a cache file.

xmount --cache changes.cache --in vdi disk.vdi /mnt/point

Morph data from multiple input images (AFF and split raw files) into one output at the mount point.

xmount --in aff image.aff --in raw split.dd.001 split.dd.002 /mnt/point

Mount an AEWF image with debug mode and custom input option for maximum RAM cache.

xmount -d --inopts aewfmaxmem=20 --in aewf image.E01 /mnt/point

Mount a QCOW2 input image to the specified mount point.

xmount --in qcow2 vm.qcow2 /mnt/point

Updated 2026-04-16kali.org ↗