Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment

Shadow Mounting with hdiutil

I recently put up a post on using hdiutil to create disk images in Mac OS X.  To take that a step further let’s look at leverage a shadow mount. A shadow mount allows you to mount a read only file system (from a dmg) as a read-write structure without altering the original image, similar to how NetBoot works. This is useful for a variety of instances, most of all, forensically. To mount an image is going to be similar to how we did so previously, simply use the

It is possible the volume was dismounted dirty and Mac OS X needs to do a consistency check on the file system. The file system needs to be read-write to do the consistency check. If you shadow mount, the file system will be mounted read-write but it will leave your original image intact writing all the changes to the shadow file. In the following example, we will mount up a disk image called badguy.dmg that is stored on /Volumes/Images with a shadow mount at /Shadow. We could do so without a shadow mount using the following command:

hdiutil mount /Volumes/Images/badguy.dmg

Instead, we’re going to add a -shadow option and follow it with the location of the shadow mount:

hdiutil mount /Volumes/Images/badguy.dmg -shadow /Shadow

You can now write data into the image or remove data from the image and then unmount it:

hdiutil unmount /Volumes/Images/badguy.dmg

Remounting the image should net you an image that did not save any of the previous changes. While forensics is one place for this type of technology, there are others, such as the NetBoot environment where you don’t want users writing data anywhere except for a userland space. Similarly is the default EC2 environment, where users will be banging away on virtual machines all day long and only write changes back in if they save a copy of the machine into a local space, such as their S3 account.  It also makes for a nice way to store images (and images containing packages) during the imaging process for a number of environments.  Overall, this is technology that has been around for awhile and I look forward to seeing more ramifications in the future.