Hello Reader,

If you've ever done forensics on modern linux systems disk images you may have encountered the dread that comes with dealing with lots of LVMs (Logical Volume Management) which none of the commercial forensics tools seem to be able to fully handle, yes even Xways.  Well instead of being full of existential dread of having to export, reimport and handle all of these partitions you can take advantage of the command line kung fu of Hal Pomeranz to automate this process for you!

Hal wrote a tool called MTT or Mount That Thing which .. well it's mounts things! You provide it with the linux disk images and it takes care of finding, identifying and mounting all of the LVMs and partitions within it so the data is accessible.  

Overview of the Script

This script is designed to automate the following operations:

• Mounting disk images (E01 or raw)

• Handling LVM volumes

• Automatically identifying and mounting partitions

• Exporting mounted partitions into E01 format if desired

• Safely unmounting and cleaning up devices and volumes when finished

All mount operations are performed read-only, with noexec and other conservative options to preserve evidence integrity.

Key Features

Mounting Disk Images

• E01 support: If the image is in Expert Witness format, the script uses ewfmount to extract the raw image and proceed with analysis.

• Partition detection: For full disk images (e.g., MBR), it uses losetup -P to enumerate partitions and identify associated file systems.

• LVM support: Detects and activates volume groups, carefully handling potential naming collisions with already mounted LVM volumes.

• Filesystem recognition: Supports EXT2/3/4, XFS, BTRFS, and FAT file systems, with logic to apply the appropriate mount options for each.

• Root partition detection: Identifies the likely root partition via fstab or naming heuristics and mounts it first.

• Command logging: All mount operations are logged to a MOUNTING file within the target directory for reproducibility and audit trails.

Export to E01 Format

When invoked with the -E flag, the script will:

• Export each mounted partition using ewfacquire

• Segment the output if required via the -S option (e.g., for 2 GB chunks)

• Name exports based on their mount point or partition origin to maintain clear context

• Store exports and logs in an exported/ subdirectory of the target mount path

This is especially useful for archiving or handing off discrete pieces of evidence.

Safe and Comprehensive Unmounting

Using the -U flag, the script will:

• Unmount all associated filesystems

• Deactivate volume groups via vgchange -a n

• Detach all loopback devices with losetup -d

• Kill any ewfmount processes by unmounting their working directory

This ensures that the analyst can return the system to a clean state after analysis or re-run the script on a new image without residual device conflicts.

Usage Example

Mount and export an image:

./mount_image.sh -d /mnt/evidence -E -S 2147483648 image.E01

Unmount everything cleanly:

./mount_image.sh -U /mnt/evidence

Default behavior places mount artifacts under a mount/ directory, but this can be overridden with the -d flag.

Give it a shot! 

https://github.com/halpomeranz/dfis/blob/master/mtt.sh