±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35894
New Yesterday: 0 Visitors: 166

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

localizing a mounted HD

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

jaclaz
Senior Member
 

Re: localizing a mounted HD

Post Posted: Aug 28, 12 17:33

- keydet89


When I asked the question, I saw no reference to your initial post, and as such thought that you'd added something new to the conversation. My apologies.


No prob Smile , but still there is still IMHO a form of misunderstanding.

The IMDISK uses some approaches that are somehow "higher level" than other drivers, what is actually mounted in IMDISK are Volumes or Partitions (and NOT "disks").

As an example KenKato's VDK has a "lower level" approach, enough to access the "whole disk" as \\.\PhysicalDriven but "not low enough" to let the disk be seen in Disk Manager.

The VSS SDK (without the need of *any* programming skills) provides, as illustrated in the given link:
reboot.pro/index.php?s...92&hl=
the means:
virtual storage driver (virtualstorage.sys) and virtual storage controller (vstorcontrol.exe)

to mount a "whole disk" in a way that it is seen in disk management, i.e. "as low-level" or "as native" as possible.
I will risk quoting myself Shocked :
The VSS drives are "as low level" and "as plug 'n play" as possible, meaning that when you run them and mount an image you will get (I am talking of the 32 bit version on XP, but the 64 bit one will probably be the same)
  1. a tray notification for "found new hardware"
  2. the image appears in disk management as a disk
  3. it is accessible through \\.\PhysicalDriven
  4. the formatted volumes/drives get a drive letter by mount manager
  5. the disk geometry is by default 255/63
  6. VDK misses points #1 and #2 above and you need a .pln or .vmdk file to have the 255/63 geometry as the default is 64/32.


There are seemingly issues with the Windows 7 version, though.

Total Mounter has a similar "low-level" approach, but it's usage is a bit more convenient, being GUI and AFAICT works allright in Windows 7 also.

They were/are only meant as "ideas", JFYI, for further experiments.

With all due respect Smile , I completely fail to understand how the company making the tool being Chinese is worth of note, still for the record, a few examples:
Imdisk Author Olof Lagerkvist is from Sweden
VDK Author Ken Kato is from Japan
firadisk Author karionix is from Thailand
Winvblock Author sha0 is from Canada
MS VSS Authors are presumably from the US
Total Mounter (Kernsafe) is from China
the (very little) contributions by me are coming from Italy ...
... it looks like in the Virtual Disk drivers development nationality is fairly heterogeneous....

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

keydet89
Senior Member
 

Re: localizing a mounted HD

Post Posted: Aug 28, 12 19:07

- jaclaz

With all due respect Smile , I completely fail to understand how the company making the tool being Chinese is worth of note, still for the record, a few examples:


I'm sure that there will be some reticence, and at the very least some questions, from those associated with the US Federal Gov't regarding that tool.  
 
  

jaclaz
Senior Member
 

Re: localizing a mounted HD

Post Posted: Aug 28, 12 20:59

- keydet89

I'm sure that there will be some reticence, and at the very least some questions, from those associated with the US Federal Gov't regarding that tool.

Should the G-men knock on your door (actually break through it) at 5:00 in the morning, because Echelon registered an access from your IP to the
www.kernsafe.com/
site, you can put the blame on me allright Wink .
Forget about the idea.
It's not safe, it's... very dangerous, be careful.

www.imdb.com/title/tt0...=qt0247572

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

jaclaz
Senior Member
 

Re: localizing a mounted HD

Post Posted: Sep 25, 13 22:43

Update (should be on "News", but I am posting it here so that Keydet89 and other people having issues with Total Mounter and it's "Chinese origin" can take notice of this).

Another driver (this time a "full" SCSI miniport driver) written by Olof Lagerkvist (same Swedish Author of IMDISK) has been now released as "Open Source"):
reboot.pro/topic/18945...rt-driver/

The driver was originally written for Arsenal Recon (which is US based):
arsenalrecon.com/
as part of one of their Commercial tool(s), and they decided to release the Source Code (besides pre-made buiilds) under AGPL v3.0:
github.com/ArsenalReco...ge-Mounter


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

ArsenalConsulting
Member
 

Re: localizing a mounted HD

Post Posted: Oct 07, 13 22:21

- jaclaz

The driver was originally written for Arsenal Recon (which is US based):
arsenalrecon.com/
as part of one of their Commercial tool(s), and they decided to release the Source Code (besides pre-made buiilds) under AGPL v3.0:
github.com/ArsenalReco...ge-Mounter
jaclaz


Jaclaz, thank you for mentioning our project! There has been some confusion regarding who the project is geared towards... currently Olof and I are gearing the project towards developers, not end users. Though, people have been running the sample executable successfully, particularly on Windows 7 and 8.

I just put a summary page up which hopefully explains the project better than we can do on Twitter. Wink

arsenalrecon.com/apps/...e-mounter/  
 
  

jaclaz
Senior Member
 

Re: localizing a mounted HD

Post Posted: Oct 07, 13 22:46

- spencerforhire

Jaclaz, thank you for mentioning our project! There has been some confusion regarding who the project is geared towards... currently Olof and I are gearing the project towards developers, not end users. Though, people have been running the sample executable successfully, particularly on Windows 7 and 8.

I just put a summary page up which hopefully explains the project better than we can do on Twitter. Wink

arsenalrecon.com/apps/...e-mounter/


You are welcome, nice page Smile .

What I am currently trying to "fight" (with all due respect to you and Olof) and with the help of an actual developer (erwanl.l), besides Olof himself, is this form of "racism" Shocked .

I mean, apart from what the product is geared for, why "limiting" it's use to (actually rather few, believe me Wink , "developers"), and somehow exclude the "end users" (which include those forensic people which are not "developers")? Question

And again, with no offence whatever intended to you and/or Olof, it is a few years that we have similar softwares available, the only issue being, in the case of the mentioned Kernsafe tool, it's non-US origin....

As always the more alternatives/tools one can have available and working, the better, and the "experimental" IMGMOUNT tool by erwan.l, current version 0.9 here:
reboot.pro/topic/18945.../?p=177973

already behaves (IMHO) well enough to extend the use of the driver to at least "advanced end users", the only "tricky" part left is to find a more convenient way to install it (without needing the .NET bloat) and without using the devcon.exe, which already makes possible the install, thanks to a modified .inf by bilou_gateux:
reboot.pro/topic/18945.../?p=177872

These things, once finalized/tested/whatever will make possible to (relatively easily) use the thingy (though with some reduced functionalities due to the non-connection with discutils) into "reduced systems" (such as the Windows XP Embedded bilou_gateux uses or the nice WinFE that bshavers/cramsden are developing).

jaclaz

P.S.: In the meantime the IMGMOUNT version 1.0 was released here:
reboot.pro/topic/18945.../?p=178049
reboot.pro/files/file/374-imgmount/
Discussion topic:
reboot.pro/topic/19003-imgmount/
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

ArsenalConsulting
Member
 

Re: localizing a mounted HD

Post Posted: Oct 08, 13 02:14

[quote="jaclaz"]
- spencerforhire

I mean, apart from what the product is geared for, why "limiting" it's use to (actually rather few, believe me Wink , "developers"), and somehow exclude the "end users" (which include those forensic people which are not "developers")? Question

I don't think you and I actually have a dispute here... the project is already working out as we had intended. When I refer to the "project" or "Arsenal Image Mounter", I'm referring to the code we released. Our hope was that we would release a nice foundation and other developers would build GUIs on top of it for end users, which as you've mentioned (and as I've been told via email) people are already doing... and ideally, people will also help us extend the functionality of the "core" as well.

Of course end users are welcome to use what we released on GitHub... I'm just letting people know that it wasn't geared for end users. We have other software projects (not to mention casework) that need attention, so this first release could not be all things to all people.

I hope that clears things up!  
 

Page 3 of 4
Page Previous  1, 2, 3, 4  Next