Forums
Main Category
General (Technical,...
OSFMount v Arsenal ...
 
Notifications
Clear all

OSFMount v Arsenal Image Mounter v FTK Imager

 
Page 2 / 3
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Passmark 6 years ago
24 Posts
10 Users
0 Reactions
11 K Views
RSS
 randomaccess
(@randomaccess)
Reputable Member
Joined: 14 years ago
Posts: 385
17/10/2018 8:24 am  

OSFMount is free and "just works". FTK Image is free and "just works". AIM is hard to get and deliberately hard to use unless you subscribe. That is a shame because it is technically excellent once you get it working.

I have to disagree that AIM is hard to use, but yes, it is harder than OSFMount to get (FTK Imager requires you to enter details into the AD website). The website indicates it requires you to have the cookie on your machine, so if you move between machines you may need to register multiple times I guess?

Mark, maybe if it's not difficult, allowing examiners to create an account that they can use to easily get to the downloads?

I find having a few mounting tools is a good idea; FTK is my go-to, but it's been failing recently so I jump over to the free version of AIM. Maybe I need to start with AIM and go the other way.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
17/10/2018 9:04 am  

True, there was a fork 8 years ago. Code is fairly different now however. We added E01 support and 64bit support. Try running some benchmarks on RAM drives for a further example of the differences.

Also it is worth stating that none of these mounting tools (at least the ones we have looked at) are totally original work. For example AIM is based on Microsoft's code.

This code here,
https://code.msdn.microsoft.com/windowshardware/WDKStorPortVirtualMiniport-973650f6
Which was released under the Apache License. And we'll also be using chunks of that code in the next OSFMount release. Although there does seem to be a few bugs in it, it is a solid starting point that people would be foolish not to use.

A big part of the job in modern software development is seamlessly gluing together other people's code and libraries to make something useful. It isn't an easy job however. It is worth paying for when done well.

Yep, that is the good thing about Open Source, knowledgeable people can re-use parts of the code and hopefully make a "better" product without re-starting each time from scratch. )

Still just for the record, in the meantime IMDISK has also a 64 bit version and has support (though it is only debugging/experimental) via the devio and a third party proxy for the libEWF library by Joachim Metz

http//reboot.pro/topic/19940-ewf-proxy-for-imdisk/

The devio is sort of "generic" interface and is supported by both IMDISK and AIM, allowing, besides the use of a proxy also to mount a "remote" volume on the network.

@JimC
@randomaccess
Back to the AIM "accessibility" topic, to be fair ) you can have all the relevant parts of the driver (but not the GUI tool) from the GITHUB repository without any registration/cookie
https://github.com/ArsenalRecon/Arsenal-Image-Mounter/blob/master/Directory_structure.txt

and if you really-really cannot use the command line the already mentioned IMGMOUNT
http//reboot.pro/files/file/374-imgmount/
might do.

jaclaz


   
ReplyQuote
JimC
 JimC
(@jimc)
Estimable Member
Joined: 9 years ago
Posts: 86
Topic starter 08/01/2019 5:01 pm  

@Passmark Please could you confirm when the next release of OSFMount may be available?

I imagine many of us would be very keen to try it as an alternative to AIM, FTK etc.

Jim

www.binarymarkup.com


   
ReplyQuote
Passmark
 Passmark
(@passmark)
Reputable Member
Joined: 14 years ago
Posts: 376
10/01/2019 1:51 am  

Should have a beta release in the next few days.
Only major issue, that we are currently aware of, for the beta is device driver code signing. The whole code signing thing has become a minefield. So we might have to initially do unsigned drivers for the beta (unsigned by Microsoft that is).
I'll post a link here once it is up.


   
ReplyQuote
Sunnych
 Sunnych
(@sunnych)
Active Member
Joined: 7 years ago
Posts: 8
12/01/2019 2:12 pm  
I've been recently been having a play with different image mounting tools.

PassMark's "OSFMount" looks pretty good and is free. It supports mounting E01 images but seems to have two limitations

1. The driver performs a "logical" mount of file system volumes. It doesn't mount the underlying sectors in a "physical" disk image

2. The E01 feature is missing write support. This means it can't be used with virtualisation software to "live boot" an image

I also had a look at Arsenal's "Image Mounter (AIM)" tool. The basic version of this is free although a little more fiddly to use. There seems to be a more (expensive?) paid version which offers more features. Crucially, it does support mounting images "physical images".

Finally, I looked at "FTK Imager". This is free and offers both "physical" mounting and E01 support. For my purposes, it therefore seems superior to both OSFMount and AIM.

Does anyone have any comments or suggestions for other image mounting tools? Did I miss anything with PassMark's tool?
Jim
www.binarymarkup.com

read my article, sorry for the flaw that I wrote it in Russian, but I think an automatic translator in Google Chrome will help you, everything is clear and visible in the pictures and in the description with a real example
Virtualization of forensic images in Windows


   
ReplyQuote
UnallocatedClusters
 UnallocatedClusters
(@unallocatedclusters)
Honorable Member
Joined: 13 years ago
Posts: 576
13/01/2019 8:52 pm  

You should also consider GetData's MountImage Pro as an alternative (albeit not a free to use license).

I use OSFMount, Arsenal and FTK Imager as well in my practice (one can never have too many tools IMHO).

GetData's Forensic Explorer has an automated forensic image boot-to-VM capability, leveraging MountImage Pro, FYI.


   
ReplyQuote
Passmark
 Passmark
(@passmark)
Reputable Member
Joined: 14 years ago
Posts: 376
25/01/2019 8:31 am  

Beta release of OSFMount with physical drives emulation is now available
https://www.osforensics.com/tools/mount-disk-images.html

The code signing process for the device driver took us way longer than it should have, the whole Microsoft process is a complete train wreck.

But there are some limits.
1) Raw format only, if mounting an existing image with physical drives emulation. (no E01 support (yet))
2) No command line with physical drives emulation (yet)
3) 64bit support only. No 32bit. We are never going back to 32bit now.
4) We've only tested on Win7 and Win10. No idea if Win8 will work.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
25/01/2019 4:39 pm  

Beta release of OSFMount with physical drives emulation is now available

Good. )

3) 64bit support only. No 32bit. We are never going back to 32bit now.

Bad. (

jaclaz


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
26/01/2019 2:12 pm  

The fact that it's only available as 64-bit is irrelevant. It's free, and for that, I thank you. It's in the range for testing to demonstrate the usage.

Anyone who complains about a free 32-bit version not being available should be welcome to write their own, and provide it for free.


   
ReplyQuote
Passmark
 Passmark
(@passmark)
Reputable Member
Joined: 14 years ago
Posts: 376
28/01/2019 11:11 pm  

We track which O/S are in use with our benchmark software.

Here are the numbers.

Windows 10 (32-bit), 0.63%
Windows 10 (64-bit), 86.37%
Windows 7 (32-bit), 0.99%
Windows 7 (64-bit), 8.94%
Windows 8 (64-bit), 0.25%
Windows 8.1 (64-bit), 1.98%

Same data as a graph.
https://www.pcbenchmarks.net/os-marketshare.html

So we can cover 96% of Windows users by just supporting Win7 and Win10 64bit.
A year from now it will likely be 98%. And I would expect people doing professional computer forensics to be ahead of the curve in terms of 64bit O/S usage.


   
ReplyQuote
Page 2 / 3
Forum Jump:
  Previous Topic
Next Topic  
Share: