localizing a mounte...
 
Notifications
Clear all

localizing a mounted HD

25 Posts
5 Users
0 Reactions
2,670 Views
(@joachimm)
Estimable Member
Joined: 17 years ago
Posts: 181
 

It looks like FTK imager is emulating the mount as remote network share.

So you'll have to use another mount tool that does emulate the mount as a local drive; as people proposed stick to the known methods that other people have used with success before.

Or use Linux with ewfmount and vshadowinfo to bypass Windows completely.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

Is there a chance that you can share what the "more suited drivers" are?

?
Actually if you read my initial post I listed there TWO likely candidates, including links to them and/or thread where their usage is discussed.
BTW only Windows 7 can mount .vhd's "natively".
!

@mrpumba
The initially given lnks by keydet89 illustrate in detail methods to workaround that issue.

If you are determined to use the .e01 file "as is", then

There is a Commercial product
http//www.mountimage.com/
that can mount .e01 files, but cannot say if it will mount them as "local" or not.

There is also a free tool
http//www.osforensics.com/tools/mount-disk-images.html
that can do the same BUT since it is based on IMDISK, I doubt that it will be able to mount it in a way that is compatible with the vssadmin tool.

jaclaz


   
ReplyQuote
mrpumba
(@mrpumba)
Estimable Member
Joined: 15 years ago
Posts: 116
Topic starter  

Ok, thanks for the reply guys, I'll preview more closely on my end.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Actually if you read my initial post I listed there TWO likely candidates, including links to them and/or thread where their usage is discussed.

I did.

The SDK doesn't help anyone here on this thread really…unless someone here is a a proficient Windows programmer.

The link to the VSS tools and samples doesn't help…that's really nothing more than vssadmin or other tools; you have to have access to the VSC listing in order to use vshadow.exe to expose a VSC locally
http//msdn.microsoft.com/en-us/library/windows/desktop/bb530725(v=vs.85).aspx#exposing_a_shadow_copy_locally

KernSafe's product looks interesting, even if the company is from Beijing…but I really don't see a great deal of difference between mounting the image via vhdtool + Disk Manager, and using Total Mounter. Not having tested Total Mounter yet, I'd be interested to see if it's able to mount read-only (I wasn't able to access the data sheet this morning).

When I asked the question, I saw no reference to your initial post, and as such thought that you'd added something new to the conversation. My apologies.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

When I asked the question, I saw no reference to your initial post, and as such thought that you'd added something new to the conversation. My apologies.

No prob ) , but still there is still IMHO a form of misunderstanding.

The IMDISK uses some approaches that are somehow "higher level" than other drivers, what is actually mounted in IMDISK are Volumes or Partitions (and NOT "disks").

As an example KenKato's VDK has a "lower level" approach, enough to access the "whole disk" as \\.\PhysicalDriven but "not low enough" to let the disk be seen in Disk Manager.

The VSS SDK (without the need of *any* programming skills) provides, as illustrated in the given link
http//reboot.pro/index.php?showtopic=6492&hl=
the means

virtual storage driver (virtualstorage.sys) and virtual storage controller (vstorcontrol.exe)

to mount a "whole disk" in a way that it is seen in disk management, i.e. "as low-level" or "as native" as possible.
I will risk quoting myself 😯

The VSS drives are "as low level" and "as plug 'n play" as possible, meaning that when you run them and mount an image you will get (I am talking of the 32 bit version on XP, but the 64 bit one will probably be the same)

  1. a tray notification for "found new hardware"
  2. the image appears in disk management as a disk
  3. it is accessible through \\.\PhysicalDriven
  4. the formatted volumes/drives get a drive letter by mount manager
  5. the disk geometry is by default 255/63

VDK misses points #1 and #2 above and you need a .pln or .vmdk file to have the 255/63 geometry as the default is 64/32.

There are seemingly issues with the Windows 7 version, though.

Total Mounter has a similar "low-level" approach, but it's usage is a bit more convenient, being GUI and AFAICT works allright in Windows 7 also.

They were/are only meant as "ideas", JFYI, for further experiments.

With all due respect ) , I completely fail to understand how the company making the tool being Chinese is worth of note, still for the record, a few examples
Imdisk Author Olof Lagerkvist is from Sweden
VDK Author Ken Kato is from Japan
firadisk Author karionix is from Thailand
Winvblock Author sha0 is from Canada
MS VSS Authors are presumably from the US
Total Mounter (Kernsafe) is from China
the (very little) contributions by me are coming from Italy …
… it looks like in the Virtual Disk drivers development nationality is fairly heterogeneous….

jaclaz


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

With all due respect ) , I completely fail to understand how the company making the tool being Chinese is worth of note, still for the record, a few examples

I'm sure that there will be some reticence, and at the very least some questions, from those associated with the US Federal Gov't regarding that tool.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

I'm sure that there will be some reticence, and at the very least some questions, from those associated with the US Federal Gov't regarding that tool.

Should the G-men knock on your door (actually break through it) at 500 in the morning, because Echelon registered an access from your IP to the
http//www.kernsafe.com/
site, you can put the blame on me allright wink .
Forget about the idea.

It's not safe, it's… very dangerous, be careful.

http//www.imdb.com/title/tt0074860/quotes?qt=qt0247572

jaclaz


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

Update (should be on "News", but I am posting it here so that Keydet89 and other people having issues with Total Mounter and it's "Chinese origin" can take notice of this).

Another driver (this time a "full" SCSI miniport driver) written by Olof Lagerkvist (same Swedish Author of IMDISK) has been now released as "Open Source")
http//reboot.pro/topic/18945-announcing-open-source-virtual-scsi-miniport-driver/

The driver was originally written for Arsenal Recon (which is US based)
http//arsenalrecon.com/
as part of one of their Commercial tool(s), and they decided to release the Source Code (besides pre-made buiilds) under AGPL v3.0
https://github.com/ArsenalRecon/Arsenal-Image-Mounter

jaclaz


   
ReplyQuote
ArsenalConsulting
(@arsenalconsulting)
Eminent Member
Joined: 16 years ago
Posts: 49
 

The driver was originally written for Arsenal Recon (which is US based)
http//arsenalrecon.com/
as part of one of their Commercial tool(s), and they decided to release the Source Code (besides pre-made buiilds) under AGPL v3.0
https://github.com/ArsenalRecon/Arsenal-Image-Mounter
jaclaz

Jaclaz, thank you for mentioning our project! There has been some confusion regarding who the project is geared towards… currently Olof and I are gearing the project towards developers, not end users. Though, people have been running the sample executable successfully, particularly on Windows 7 and 8.

I just put a summary page up which hopefully explains the project better than we can do on Twitter. 😉

http//arsenalrecon.com/apps/image-mounter/


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

Jaclaz, thank you for mentioning our project! There has been some confusion regarding who the project is geared towards… currently Olof and I are gearing the project towards developers, not end users. Though, people have been running the sample executable successfully, particularly on Windows 7 and 8.

I just put a summary page up which hopefully explains the project better than we can do on Twitter. 😉

http//arsenalrecon.com/apps/image-mounter/

You are welcome, nice page ) .

What I am currently trying to "fight" (with all due respect to you and Olof) and with the help of an actual developer (erwanl.l), besides Olof himself, is this form of "racism" 😯 .

I mean, apart from what the product is geared for, why "limiting" it's use to (actually rather few, believe me wink , "developers"), and somehow exclude the "end users" (which include those forensic people which are not "developers")? ?

And again, with no offence whatever intended to you and/or Olof, it is a few years that we have similar softwares available, the only issue being, in the case of the mentioned Kernsafe tool, it's non-US origin….

As always the more alternatives/tools one can have available and working, the better, and the "experimental" IMGMOUNT tool by erwan.l, current version 0.9 here
http//reboot.pro/topic/18945-announcing-open-source-virtual-scsi-miniport-driver/?p=177973

already behaves (IMHO) well enough to extend the use of the driver to at least "advanced end users", the only "tricky" part left is to find a more convenient way to install it (without needing the .NET bloat) and without using the devcon.exe, which already makes possible the install, thanks to a modified .inf by bilou_gateux
http//reboot.pro/topic/18945-announcing-open-source-virtual-scsi-miniport-driver/?p=177872

These things, once finalized/tested/whatever will make possible to (relatively easily) use the thingy (though with some reduced functionalities due to the non-connection with discutils) into "reduced systems" (such as the Windows XP Embedded bilou_gateux uses or the nice WinFE that bshavers/cramsden are developing).

jaclaz

P.S. In the meantime the IMGMOUNT version 1.0 was released here
http//reboot.pro/topic/18945-announcing-open-source-virtual-scsi-miniport-driver/?p=178049
http//reboot.pro/files/file/374-imgmount/
Discussion topic
http//reboot.pro/topic/19003-imgmount/


   
ReplyQuote
Page 2 / 3
Share: