Expanding a macOS DMG file for Analysis

Josh Lemon
Article by Josh Lemon

Digital Forensics and Incident Response Managing Director & Certified SANS Instructor

The following process walks through how to mount an Apple Disk Image, or more commonly known as a .dmg file. This process walks through mounting the HFS section of a .dmg file on a Linux system to allow the extraction of files for further analysis.

Step 1 - Checking The File Type

To begin with, I usually check what type of .dmg file it is with the "file" command. This is done to understand if it is a compressed or uncompressed .dmg file.

$ file application.dmg

The output you could typically expect could be:

application.dmg: data

which means the file is compressed, or you could get:

dmg: bzip2 compressed data, block size = 100k

which also means the .dmg is compressed, or you could get:

uncompressed.dmg: Macintosh HFS Extended version 4 data last mounted by [...]
block size: 4096, number of blocks: 6400, free blocks: 218

If you get the output shown in the last example, you can skip to Step 3 below where I talk about mounting the file.

Step 2 - Expanding The DMG File

In both of the examples where the "file" command shows that the .dmg file is compressed, I found it best to extract the contents of the .dmg file entirely. You can extract the .dmg contexts with 7-Zip using this command:

$ 7z x application.dmg

The above command should produce output similar to this:

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,4 CPUs)

Processing archive: application.dmg

Extracting  0.MBR
Extracting  1.Primary GPT Header
Extracting  2.Primary GPT Table
Extracting  3.free
Extracting  4.hfs
Extracting  5.free
Extracting  6.Backup GPT Table
Extracting  7.Backup GPT Header

Everything is Ok

Files: 8
Size:       5253831
Compressed: 581650

This essentially expands out the .dmg file to 7 different folders containing the data labelled above in each folder name.

From here you can now browse the contents that make up the structure of a .dmg file, however if you want to actually see the files within the .dmg image file, for example application files, we will need to mount the "4.hfs" file.

Step 3 - Mounting The HFS File

You'll now need to mount the HFS file, that we extracted in the above step, to be able to see the contents of it. You can simply do this with the "mount" command.

$ sudo mount -o loop,ro,noexec 4.hfs /mnt

If you have any issues with the above mount command try loading the HFS dependences with the following command. Then repeat the above "mount" command again.

$ sudo modprobe hfs

Provided the above mount command completes successfully you should now be able to browse to "/mnt/" and view the files that a macOS user would see once they mount a .dmg file.

$ cd /mnt/
$ ls -lh 

If you're looking for macOS executables​, they usually resides within the "Application.app/Contents/MacOS/" path. You can check this with the "file" command to make sure you've actually found the executable files.

$ file /mnt/Application.app/Contents/MacOS/application

You would expect to see output from "file" that looks like this:

application: Mach-O 64-bit x86_64 executable

Now the fun begins with analysing Mach-O executables​, good luck.