Identi.ca
Charles Stanhope

Charles Stanhope at

I often find myself mounting disk images of root filesystem of various operating systems. I find that I seem to frequently get myself confused by either doing something like "cd /etc" when I meant "cd /mnt/etc" or by looking at a file that is actually a symbolic link, but it is currently pointed at my system and not the disk image because the symbolic link is something like "/usr/lib..." as opposed to "../../usr/lib".

Are there any tools people would recommend for browsing a filesystem image that doesn't require actually mounting it? Or any other techniques people use? Maybe I just need to make a chroot or jail of some kind...

The second time I see I have done a ``ls /etc`` instead of ``ls etc`` (or similar) I usually just chroot in the mounted filesystem; that however assumes two things:


* that you can trust the mounted filesystem: in my cases they usually are OS images for Single Board Computers, so their binaries are safe, but if I was looking at the image of a compromised server it would quickly enter "What Could Possibly Go Wrong" area;


* that you can actually run the binaries in the image (and here in my case qemu and binfmt_misc help *a lot*, since I'm often working with different architectures);


* that the image has all of the tools that you need to browse the filesystem: I'd expect a shell to be there, but maybe the image only has a minimal one, and sometimes I've found images that were missing useful tools such as file.

Elena ``of Valhalla'' at 2016-09-25T07:56:53Z

Charles Stanhope likes this.

I am most often dealing with cross architecture file systems, and I had considered a simple chroot solution to be a no go because of that. But I forgot about the ability to maybe launch an emulator to execute a binary. So that's a potentially very neat solution for me! Thank you for the advice (and the reminder to always be mindful of security issues)!

Charles Stanhope at 2016-09-25T19:46:40Z