SANS Penetration Testing

Mount a Raspberry Pi File System Image

By Josh Wright

Yesterday, I started my yearly Epic Desk Cleanout. This annual ritual is more about holding up a trash can and sweeping everything into it. I really clean, which includes cataloging all the random SD cards I've collected throughout the year.

"SD cards" by Seeweb is licensed under CC BY-SA 2.0

For SD cards, I'll typically dd the contents of the drive to a Linux box, then examine the data from a shell. This year, a lot of those SD cards are Raspberry Pi images. I end up with a file system dump that I need to examine:


Fortunately, the fdisk utility on Linux can read from a physical device, or from a data dump file:


Here, fdisk reveals a few important tidbits about the binary image:

  • The sector size (512 bytes)
  • The partitions in the disk image including file system types
  • The starting offset in sectors for the file systems

Using the sector size (512 bytes) and the start sector for the Linux file system (264192), we can use a little shell-fu to calculate the number of bytes to the beginning of the file system:


The Linux filesystem is 135,266,304 bytes into the pi.img file. Next, we create a mount point (I use mnt from my current directory, but you can use any unused directory) and mount the image, specifying the number of offset bytes to the Linux partition:


Now it's just a matter of changing to the mnt directory, and exploring the data.

1 SD drive down...1,978 to go.



Upcoming SANS Special Event - 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge - KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • "On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team." - @mikehodges
  • "#SANSHolidayHack Confession — I have never used python or scapy before. I got started with both today because of this game! Yay!" - @tww2b
  • "Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa" - @dnlongen


Posted December 7, 2016 at 4:03 PM | Permalink | Reply


Thanx, Josh. In actual practice though,I would have saved the echo step and simply down the mount with -o offset=$((512*264192))

Posted December 22, 2016 at 6:26 PM | Permalink | Reply

Kevin G.

And I would have used /mnt instead of mnt/ that way it will actually work

Posted December 22, 2016 at 6:31 PM | Permalink | Reply

Kevin G

My error''. I have to learn how to read. It wasn't going to the default mnt dir

Posted January 1, 2017 at 5:11 PM | Permalink | Reply

Christopher Rogers

Looking forward to learning through hands-on with SANs in 2017

Post a Comment


* Indicates a required field.