Does anyone know of a tool aside from Mount image pro and Encase itself that will mount drive images, either Encase, dd, SMART etc. Mount image pro is great but expensive for the number of times I will use it. The issue only presents itself when using FTK out on site.
I would like to be able to create a 'clone' drive from an image too if possible. Any thoughts?
Nick
I'm not up on the windows software options, I'll leave that to someone else.
However, for cloning disks, either from a physical disk source, or from an image, nothing compares to dd, it's a top-notch swiss-army knife for drive/image/data manipulation.
Have I completely missed the point of the original question? FTK Imager will mount most forensic drive images itself and you can examine them in preview mode.
Paraben has such a product (P2 Explorer). Looks like about $200.00.
I've used both Mount Image Pro and P2 Explorer. I had better results with P2.
Paraben's P2 Explorer works very well.
Nick, do you specifically mean mounting in a Windows environment so you can freely navigate around the file system? If so, there are only the ones already mentioned, to my knowledge….
Just a thought though, if you are using a hardware writeblocker - Fastbloc for example, then there is no real need for a software mounter, as it mounts in Windows and you can navigate around.
If you use Linux, you can mount a DD image as a loop, and navigate the file structure for free.
As regards to making a clone from an image, if you use EnCase then that's very easy, as you can restore the image to another hdd. The acquisition (no dongle) mode will also allow this.
Also, X-Ways Forensics (WinHEX) will allow you to relay an image to a hdd (clone). I think even the demo will allow you to do this.
Andy
Thanks to you all, I hadn't heard of the Paraben solution and Andy's idea of using X-Ways was a good one.
Andy, I only use a few 'standard' commands with dd to image drives, to save some experimentation do you know off hand what the command line is to mount an image?
Thanks again for the replies, very helpful.
Nick
mount -o loop -t subfs -r /home/internet/Documents/usb1.subfs /mnt/usb
This will mount the usb thumb drive image called usb1.subfs to the mount point /mnt/usb
The "-o loop" means use the option that mounts a file as a block device. The "-t subfs" means that the file is in the subfs removable media format. The "-r" means to mount read-only.
Nick, there is an excellent pdf all about linux forensics. It's titled "The Law Enforcement and Forensic Examiner Introduction to Linux. A Beginner's Guide". It has all the commands you need.
You can download it here
There is also a handy 'one page Linux manual', with many useful commands. You can get it from here http//
Andy