Join Us!

OSFMount v Arsenal ...
 
Notifications
Clear all

OSFMount v Arsenal Image Mounter v FTK Imager  

Page 1 / 2
  RSS
JimC
 JimC
(@jimc)
Member

I've been recently been having a play with different image mounting tools.

PassMark's "OSFMount" looks pretty good and is free. It supports mounting E01 images but seems to have two limitations

1. The driver performs a "logical" mount of file system volumes. It doesn't mount the underlying sectors in a "physical" disk image

2. The E01 feature is missing write support. This means it can't be used with virtualisation software to "live boot" an image

I also had a look at Arsenal's "Image Mounter (AIM)" tool. The basic version of this is free although a little more fiddly to use. There seems to be a more (expensive?) paid version which offers more features. Crucially, it does support mounting images "physical images".

Finally, I looked at "FTK Imager". This is free and offers both "physical" mounting and E01 support. For my purposes, it therefore seems superior to both OSFMount and AIM.

Does anyone have any comments or suggestions for other image mounting tools? Did I miss anything with PassMark's tool?

Jim

www.binarymarkup.com

Quote
Posted : 15/10/2018 10:26 am
minime2k9
(@minime2k9)
Active Member

Arsenal Recon is the best one I have used. I don't have access to the paid features but they revolve around mounting VSC's directly.

Encase does have PDE which also allows mounting of physical disks, but overkill if that's the only feature you want.

ReplyQuote
Posted : 15/10/2018 10:59 am
Passmark
(@passmark)
Active Member

Mounting a E01 image as a volume or as a emulated physical SCSI drive accomplishes the same thing most of the time. All the sectors in all the partitions are still available in both cases. But as you pointed out there are a few cases where the difference is important. One of them is booting the image into a virtual machine, where a (emulated) physical drive is desirable. Strictly speaking there are other methods to boot the image without a physical drive, but having one make the job quicker & easier.

We are writing code at the moment to allow a physical mount option for OSFMount.
An updated version should be available in a few weeks after a bit more integration and testing.

ReplyQuote
Posted : 16/10/2018 4:50 am
Omnius
(@omnius)
Junior Member

Arsenal Recon is the best one I have used. I don't have access to the paid features but they revolve around mounting VSC's directly.

Using AR in conjunction with; https://binaryforay.blogspot.com/2018/09/introducing-vscmount.html for VSC analysis.

Using FTK for physical mounting of drives for creating VM's.

ReplyQuote
Posted : 16/10/2018 8:04 am
minime2k9
(@minime2k9)
Active Member

Using AR in conjunction with; https://binaryforay.blogspot.com/2018/09/introducing-vscmount.html for VSC analysis.

Using FTK for physical mounting of drives for creating VM's.

Yes that is how I use AR for mounting VSC's, same technique works for creating VM's as well.
I meant paid features allow you to mount a VSC directly rather than mounting the image and then the VSC.

ReplyQuote
Posted : 16/10/2018 9:35 am
jaclaz
(@jaclaz)
Community Legend

@JimC
JFYI, the "base" under the OFSMount tool is IMDISK, by Olof Lagerkvist, who is the same Author as Arsenal Image Mounter.

While IMDISK is completely free, besides Open Source, the AIM was developed for Arsenal Recon, it is now extremely complicated to get it, and seemingly they just switched to the "modern"[1] SAAS commercial model (and seemingly also require registration to download the "free"[2] version)

However there is a small GUI tool for it
http//reboot.pro/files/file/374-imgmount/

There is another driver that comes from MS directly, that has the same possibility of mounting a (RAW) physical image (again JFYI)
http//reboot.pro/topic/6492-virtual-storage-driver/

jaclaz

[1] "modern" is sometimes a synonym of "stupid" in my opinion
[2] that as such is not anymore "free", again in my perverted mind

ReplyQuote
Posted : 16/10/2018 10:30 am
ArsenalConsulting
(@arsenalconsulting)
Junior Member

While IMDISK is completely free, besides Open Source, the AIM was developed for Arsenal Recon, it is now extremely complicated to get it, and seemingly they just switched to the "modern"[1] SAAS commercial model (and seemingly also require registration to download the "free"[2] version)

Can you elaborate upon "extremely complicated?" I had previously signed up for our mailing list and just went to our website, clicked "Downloads", expanded "Arsenal Image Mounter", clicked "Arsenal Image Mounter", and a download began. We could eliminate one of the those three clicks (making the navigation more efficient) and I will see about getting that done this week.

[2] that as such is not anymore "free", again in my perverted mind

We are a small company and do not have marketing people. We require signing-up for our mailing list before downloading our tools, which is the primary method we use to alert current (and prospective, in the sense that they have already shown interest) users to updates in our existing tools and the launch of new tools. People can (and do) use throw-away email addresses and unsubscribe to our mailing list after they have downloaded what they want.

We don't charge for Arsenal Image Mounter's core functionality and have source code available on GitHub which we encourage open source projects to use. I feel we have launched quite a bit of free functionality in both Arsenal Image Mounter and Hibernation Recon, especially when you consider that Olof Lagerkvist is an excellent programmer (as are some of our other employees and contractors) and he does not work for free.

On a related note, developing software tends to be a way for us to lose money, not make it. If we did not have a successful consulting business, we would not be building software. Regardless, we will continue to fund more free functionality in Arsenal Image Mounter and I am open to suggestions related to that functionality, our GUI, mailing list, etc.

Thanks,

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

ReplyQuote
Posted : 16/10/2018 11:33 am
jaclaz
(@jaclaz)
Community Legend

Can you elaborate upon "extremely complicated?" I had previously signed up for our mailing list and just went to our website, clicked "Downloads", expanded "Arsenal Image Mounter", clicked "Arsenal Image Mounter", and a download began. We could eliminate one of the those three clicks (making the navigation more efficient) and I will see about getting that done this week.

[2] that as such is not anymore "free", again in my perverted mind

We are a small company and do not have marketing people. We require signing-up for our mailing list before downloading our tools, which is the primary method we use to alert current (and prospective, in the sense that they have already shown interest) users to updates in our existing tools and the launch of new tools. People can (and do) use throw-away email addresses and unsubscribe to our mailing list after they have downloaded what they want.

We don't charge for Arsenal Image Mounter's core functionality and have source code available on GitHub which we encourage open source projects to use. I feel we have launched quite a bit of free functionality in both Arsenal Image Mounter and Hibernation Recon, especially when you consider that Olof Lagerkvist is an excellent programmer (as are some of our other employees and contractors) and he does not work for free.

On a related note, developing software tends to be a way for us to lose money, not make it. If we did not have a successful consulting business, we would not be building software. Regardless, we will continue to fund more free functionality in Arsenal Image Mounter and I am open to suggestions related to that functionality, our GUI, mailing list, etc.

Thanks,

Mark Spencer, President
Arsenal Consulting, Inc.
ArsenalExperts.com
@ArsenalArmed

Mark ) ,
I knew my post would have stirred the pot, but not as much as this 😯 .

Once said that you have all the rights in the world (+1) to do whatever you want with your software, imagine that you are a non-forensics interested user in need of just a RAW image mounter.

If you go to github (the repository for the source code)
https://github.com/ArsenalRecon/Arsenal-Image-Mounter
there are "here and there" also compiled binaries, but on the "homepage" there is a hyperlink to

For end users, Arsenal Image Mounter’s full functionality (along with all our other tools) is available as part of an affordable monthly subscription. If Arsenal Image Mounter is licensed, it runs in "Professional Mode.” If Arsenal Image Mounter is run without a license, it will run in "Free Mode" and provide core functionality.
Please see Arsenal Image Mounter’s product page https://ArsenalRecon.com/weapons/image-mounter for more details.

The
https://arsenalrecon.com/weapons/image-mounter
is no more and redirects to
https://arsenalrecon.com/#products

scrolling down the page there is the choice for the various types of subscriptions, and only after it there is a

Looking for the latest
versions of our tools?

with a "Go to downloads" link to http//arsenalrecon.com/downloadsregistration/
where there is a registration form

Join our mailing list to arm yourself with Arsenal Recon updates and tools! Our mailing list is double opt-in so you will need to check your email before receiving our mailing list or downloading our tools. Please note, for the purpose of downloading our tools, cookies are required for our website to remember you in the future.

That is - again in my perverted mind - a complicated way.

To compare, check how you can get to download OFSMount
https://www.osforensics.com/tools/mount-disk-images.html
or IMDISK
http//www.ltr-data.se/opencode.html/

As said you have all the rights in the world to want people subscribing to your mailing list (while as you mentioned a number of people will provide throwaway accounts and/or unsuscribe right after having had access to the download, making it largely irrelevant), require e-mail confirmation and have cookies enabled and possibly also solve a Sudoku puzzle (besides a CAPTCHA) before allowing people to download the driver, still it is not "direct" or "easy".

Now, if you can bear another critique , you have three products
1) Registry Recon
2) Hibernation Recon
3) Image Mounter
the first two are "forensics" only (or 99.99% forensics) tools, so it is likely that people interested in them may be interested in forensics and thus in your other (future) products, the third is a (nice BTW) "generic" system tool/driver that may have tens of uses outside forensics, so it is (still IMHO) unlikely that people interested in it may have any use of the other (most probably as well very nice) tools or that are interested in forensics, let alone subscribing to the SAAS bundle to use only one tool.

Only as an anecdote, last car I bought new, I wanted, for some reasons, folding rear mirrors but I could have them only as a bundle called "Comfort Pack" or similar that for a mere 1,500 Euro or so included heated front seats and I cannot remember whatever other gadget I had no use for.

jaclaz

ReplyQuote
Posted : 16/10/2018 3:08 pm
JimC
 JimC
(@jimc)
Member

Thank you @Passmark for confirming that OSFMount will support physical disk emulation in a future release. That would be fantastic. Please can I ask if it would also be possible to add write support (to a temp file)? Together these would make two killer features.

I agree on the comments about AIM. It is a great looking tool but rather hard to get hold of. Sure, you can download and build from the source but not many people are going to try this. It makes me think the "business" model hasn't quite been thought through.

OSFMount is free and "just works". FTK Image is free and "just works". AIM is hard to get and deliberately hard to use unless you subscribe. That is a shame because it is technically excellent once you get it working.

Jim

www.binarymarkup.com

ReplyQuote
Posted : 16/10/2018 3:17 pm
Passmark
(@passmark)
Active Member

JFYI, the "base" under the OFSMount tool is IMDISK, by Olof Lagerkvist, who is the same Author as Arsenal Image Mounter.

True, there was a fork 8 years ago. Code is fairly different now however. We added E01 support and 64bit support. Try running some benchmarks on RAM drives for a further example of the differences.

Also it is worth stating that none of these mounting tools (at least the ones we have looked at) are totally original work. For example AIM is based on Microsoft's code.

This code here,
https://code.msdn.microsoft.com/windowshardware/WDKStorPortVirtualMiniport-973650f6
Which was released under the Apache License. And we'll also be using chunks of that code in the next OSFMount release. Although there does seem to be a few bugs in it, it is a solid starting point that people would be foolish not to use.

A big part of the job in modern software development is seamlessly gluing together other people's code and libraries to make something useful. It isn't an easy job however. It is worth paying for when done well.

ReplyQuote
Posted : 17/10/2018 12:51 am
randomaccess
(@randomaccess)
Active Member

OSFMount is free and "just works". FTK Image is free and "just works". AIM is hard to get and deliberately hard to use unless you subscribe. That is a shame because it is technically excellent once you get it working.

I have to disagree that AIM is hard to use, but yes, it is harder than OSFMount to get (FTK Imager requires you to enter details into the AD website). The website indicates it requires you to have the cookie on your machine, so if you move between machines you may need to register multiple times I guess?

Mark, maybe if it's not difficult, allowing examiners to create an account that they can use to easily get to the downloads?

I find having a few mounting tools is a good idea; FTK is my go-to, but it's been failing recently so I jump over to the free version of AIM. Maybe I need to start with AIM and go the other way.

ReplyQuote
Posted : 17/10/2018 8:24 am
jaclaz
(@jaclaz)
Community Legend

True, there was a fork 8 years ago. Code is fairly different now however. We added E01 support and 64bit support. Try running some benchmarks on RAM drives for a further example of the differences.

Also it is worth stating that none of these mounting tools (at least the ones we have looked at) are totally original work. For example AIM is based on Microsoft's code.

This code here,
https://code.msdn.microsoft.com/windowshardware/WDKStorPortVirtualMiniport-973650f6
Which was released under the Apache License. And we'll also be using chunks of that code in the next OSFMount release. Although there does seem to be a few bugs in it, it is a solid starting point that people would be foolish not to use.

A big part of the job in modern software development is seamlessly gluing together other people's code and libraries to make something useful. It isn't an easy job however. It is worth paying for when done well.

Yep, that is the good thing about Open Source, knowledgeable people can re-use parts of the code and hopefully make a "better" product without re-starting each time from scratch. )

Still just for the record, in the meantime IMDISK has also a 64 bit version and has support (though it is only debugging/experimental) via the devio and a third party proxy for the libEWF library by Joachim Metz

http//reboot.pro/topic/19940-ewf-proxy-for-imdisk/

The devio is sort of "generic" interface and is supported by both IMDISK and AIM, allowing, besides the use of a proxy also to mount a "remote" volume on the network.

@JimC
@randomaccess
Back to the AIM "accessibility" topic, to be fair ) you can have all the relevant parts of the driver (but not the GUI tool) from the GITHUB repository without any registration/cookie
https://github.com/ArsenalRecon/Arsenal-Image-Mounter/blob/master/Directory_structure.txt

and if you really-really cannot use the command line the already mentioned IMGMOUNT
http//reboot.pro/files/file/374-imgmount/
might do.

jaclaz

ReplyQuote
Posted : 17/10/2018 9:04 am
JimC
 JimC
(@jimc)
Member

@Passmark Please could you confirm when the next release of OSFMount may be available?

I imagine many of us would be very keen to try it as an alternative to AIM, FTK etc.

Jim

www.binarymarkup.com

ReplyQuote
Posted : 08/01/2019 4:01 pm
Passmark
(@passmark)
Active Member

Should have a beta release in the next few days.
Only major issue, that we are currently aware of, for the beta is device driver code signing. The whole code signing thing has become a minefield. So we might have to initially do unsigned drivers for the beta (unsigned by Microsoft that is).
I'll post a link here once it is up.

ReplyQuote
Posted : 10/01/2019 12:51 am
Sunnych
(@sunnych)
New Member
I've been recently been having a play with different image mounting tools.

PassMark's "OSFMount" looks pretty good and is free. It supports mounting E01 images but seems to have two limitations

1. The driver performs a "logical" mount of file system volumes. It doesn't mount the underlying sectors in a "physical" disk image

2. The E01 feature is missing write support. This means it can't be used with virtualisation software to "live boot" an image

I also had a look at Arsenal's "Image Mounter (AIM)" tool. The basic version of this is free although a little more fiddly to use. There seems to be a more (expensive?) paid version which offers more features. Crucially, it does support mounting images "physical images".

Finally, I looked at "FTK Imager". This is free and offers both "physical" mounting and E01 support. For my purposes, it therefore seems superior to both OSFMount and AIM.

Does anyone have any comments or suggestions for other image mounting tools? Did I miss anything with PassMark's tool?
Jim
www.binarymarkup.com

read my article, sorry for the flaw that I wrote it in Russian, but I think an automatic translator in Google Chrome will help you, everything is clear and visible in the pictures and in the description with a real example
Virtualization of forensic images in Windows

ReplyQuote
Posted : 12/01/2019 1:12 pm
Page 1 / 2
Share: