Mounting drive image
Does anyone know of a tool aside from Mount image pro and Encase itself that will mount drive images, either Encase, dd, SMART etc. Mount image pro is great but expensive for the number of times I will use it. The issue only presents itself when using FTK out on site.
I would like to be able to create a 'clone' drive from an image too if possible. Any thoughts?
I'm not up on the windows software options, I'll leave that to someone else.
However, for cloning disks, either from a physical disk source, or from an image, nothing compares to dd, it's a top-notch swiss-army knife for drive/image/data manipulation.
Have I completely missed the point of the original question? FTK Imager will mount most forensic drive images itself and you can examine them in preview mode.
Paraben has such a product (P2 Explorer). Looks like about $200.00.
I've used both Mount Image Pro and P2 Explorer. I had better results with P2.
Paraben's P2 Explorer works very well.
Nick, do you specifically mean mounting in a Windows environment so you can freely navigate around the file system? If so, there are only the ones already mentioned, to my knowledge….
Just a thought though, if you are using a hardware writeblocker - Fastbloc for example, then there is no real need for a software mounter, as it mounts in Windows and you can navigate around.
If you use Linux, you can mount a DD image as a loop, and navigate the file structure for free.
As regards to making a clone from an image, if you use EnCase then that's very easy, as you can restore the image to another hdd. The acquisition (no dongle) mode will also allow this.
Also, X-Ways Forensics (WinHEX) will allow you to relay an image to a hdd (clone). I think even the demo will allow you to do this.
Thanks to you all, I hadn't heard of the Paraben solution and Andy's idea of using X-Ways was a good one.
Andy, I only use a few 'standard' commands with dd to image drives, to save some experimentation do you know off hand what the command line is to mount an image?
Thanks again for the replies, very helpful.
mount -o loop -t subfs -r /home/internet/Documents/usb1.subfs /mnt/usb
This will mount the usb thumb drive image called usb1.subfs to the mount point /mnt/usb
The "-o loop" means use the option that mounts a file as a block device. The "-t subfs" means that the file is in the subfs removable media format. The "-r" means to mount read-only.
Nick, there is an excellent pdf all about linux forensics. It's titled "The Law Enforcement and Forensic Examiner Introduction to Linux. A Beginner's Guide". It has all the commands you need.
You can download it here www.linux-forensics.com/linuxintro-LEFE-2.0.5.pdf
There is also a handy 'one page Linux manual', with many useful commands. You can get it from here http//homepage.powerup.com.au/~squadron/
Andy, excellent PDF, having read a couple of linux books this doc really hits the spot!
Also thanks to ratrabbit, I'll have a play.
HELIX and FIRE bootable CDs have valuable and free forensic tools if an examiner prefers to use *nix enviornment to acquire, analyze etc.
I was impressed with the GUI verison of DD called GRAB on the current distribution of HELIX CD rom. It also lets you acquire a target machine over IP. There are other acquisition utils on HELIX cd rom as well.
Yeah I've used Helix. Where this came from was working from images supplied by the prosecution. For reasons too complex to go into here I was not able to have access to the source machines and agreed to work from the police Encase images. I was due to work off site and was going to pre-index using FTK for speed of searching. However I needed to be able to reconstruct/mount the drive to virus scan it, hence the original question.
X-Ways allows me to interpret the images as a disk structure but not to scan it, similar to FTK imager really. However I could use dd to mount the images as described earlier but was working on a Windows machine without access to a Linux boot/virtual machine. Mount Image Pro is perfect for this senario but pretty expensive really.
Using FTK Imager
*Add the Encase evidence files
*Export the Image file to a different format. Hopefully raw which can be processed by DD to decompress it to a usb drive for scanning.
Sorry that I don't have any .e* images to test with currently.
Use this link in FTK imager help file for additional information. It should be on your hard drive if you have FTK imager installed.
C\Program Files\AccessData\AccessData FTK Imager\help\ENU\ftkimager_help.htm
After you export the image, decompress it to a usb drive and then do a virus scan. If it is clean, use it as evidence in FTK to index.