The following process walks through how to mount an Apple Disk Image, or more commonly known as a .dmg file. This process walks through mounting the HFS section of a .dmg file on a Linux system to allow the extraction of files for further analysis.
Step 1 - Checking The File Type
To begin with, I usually check what type of .dmg file it is with the "file" command. This is done to understand if it is a compressed or uncompressed .dmg file.
$ file application.dmg
The output you could typically expect could be:
which means the file is compressed, or you could get:
dmg: bzip2 compressed data, block size = 100k
which also means the .dmg is compressed, or you could get:
uncompressed.dmg: Macintosh HFS Extended version 4 data last mounted by [...] block size: 4096, number of blocks: 6400, free blocks: 218
If you get the output shown in the last example, you can skip to Step 3 below where I talk about mounting the file.
Step 2 - Expanding The DMG File
In both of the examples where the "file" command shows that the .dmg file is compressed, I found it best to extract the contents of the .dmg file entirely. You can extract the .dmg contexts with 7-Zip using this command:
$ 7z x application.dmg
The above command should produce output similar to this:
7-Zip  9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,4 CPUs) Processing archive: application.dmg Extracting 0.MBR Extracting 1.Primary GPT Header Extracting 2.Primary GPT Table Extracting 3.free Extracting 4.hfs Extracting 5.free Extracting 6.Backup GPT Table Extracting 7.Backup GPT Header Everything is Ok Files: 8 Size: 5253831 Compressed: 581650
This essentially expands out the .dmg file to 7 different folders containing the data labelled above in each folder name.
From here you can now browse the contents that make up the structure of a .dmg file, however if you want to actually see the files within the .dmg image file, for example application files, we will need to mount the "4.hfs" file.
Step 3 - Mounting The HFS File
You'll now need to mount the HFS file, that we extracted in the above step, to be able to see the contents of it. You can simply do this with the "mount" command.
$ sudo mount -o loop,ro,noexec 4.hfs /mnt
If you have any issues with the above mount command try loading the HFS dependences with the following command. Then repeat the above "mount" command again.
$ sudo modprobe hfs
Provided the above mount command completes successfully you should now be able to browse to "/mnt/" and view the files that a macOS user would see once they mount a .dmg file.
$ cd /mnt/ $ ls -lh
If you're looking for macOS executables, they usually resides within the "Application.app/Contents/MacOS/" path. You can check this with the "file" command to make sure you've actually found the executable files.
$ file /mnt/Application.app/Contents/MacOS/application
You would expect to see output from "file" that looks like this:
application: Mach-O 64-bit x86_64 executable
Now the fun begins with analysing Mach-O executables, good luck.