Re: FTK image mounting question & Mobile Devices

[Matt Presser <matt () NMSU EDU>]

Well, I could have just answered to Jim (James) but figured since no one 
else had answered it might be information that others on the list found 
useful.  Sorry for any inconvenience.

matt


On 5/4/12 3:59 PM, Vern Morgan wrote:
> Believe you got the wrong James...
> Vern Morgan
> IT Policy and Planning Administrator
> Weber State University
> Tel:  801-626-7201
> email: vernmorgan () weber edu <mailto:vernmorgan () weber edu>
>
>
> >>> Matt Presser <matt () NMSU EDU> 5/4/2012 2:38 PM >>>
> James,
>
> In ftk4 I've successfully mounted as a logical RO filesystem ext 
> partitions from a linux box and hfs+ partitions from an ipad image and 
> from an osx box. Not sure what you mean about mobile device persistent 
> memory images...can you explain that to me?
>
> FWIW
>
> On 5/2/12 12:17 PM, James H. Moore wrote:
> > Accessdata is still looking for the answer to this question – can FTK 
> > mount non-Windows (hfs+, UFS, ext2, ext3, and mobile device) 
> > filesystems as Windows partitions?
> >
> > The situation.  FTK has a number of distinct advantages.  One new one 
> > is the ability to remotely acquire images (one system at a time) in 
> > their workstation product.  I had used EnCase and their VFS product 
> > to mount forensic images and run Identity Finder scans from Windows. 
> >  In EnCase Workstation 4.x (and 5.x, I think), VFS would mount the 
> > image as a drive, but would only work for FAT and NTFS filesystems. 
> >  I complained to Guidance Software  throughout that time.  They 
> > represented hfs+, UFS, ext2, ext3 internally as a generic 
> > hierarchical filesystem, and you could read/copy individual files, 
> > why couldn't they export them.  In version 6 of EnCase, they did. 
> >  But VFS also became unreliable.  I would have to attempt the mount 
> > more than once, sometimes, I would even have to reboot to get VFS to 
> > work.  Eventually, I got advice on the Guidance Software support 
> > forums … use FTK Imager to mount the forensic image, it is rock 
> > solid.  This wasn't from a Guidance Software employee, of course, but 
> > it did simplify my life, until Flashback.
> >
> > FTK Imager didn't handle non-Windows file system.  Accessdata 
> > suggested that I use FTK instead of FTK imager for the mount, but 
> > didn't have a list of filesystems that it would mount.  I am not yet 
> > on their latest version (4), so I wanted to know about where they are 
> > now.  Also, we are having more incidents involving mobile devices 
> > (mainly iPhone, and iPad, with a little android).  We were looking at 
> > purchasing Mobile Phone Examiner (MPE+) from Accessdata, but wanted 
> > to mount the files from a phone to a Windows, and run Identity Finder 
> > to determine data at risk.
> >
> > Anyone have any information on mounting non-Windows file systems as a 
> > Windows file system?  Does it work with mobile device persistent 
> > memory images from mobile devices?
> >
> >
> > Jim
> > - - - -
> > Jim Moore, CISSP, IAM, ITIL Foundations
> > Senior Information Security Forensic Investigator
> > Rochester Institute of Technology
> > 151 Lomb Memorial Drive
> > Rochester, NY 14623-5603
> > (585) 475-5406 (office)
> > (585) 255-0809 (Cell - Incident Reporting & Emergencies)
> > (585) 475-7920 (fax)
> >
> >
> > If you consciously try to thwart opponents, you are already late.  
> > Miyamoto Musashi, Japanese philosopher/samurai, 1645
> >
> > A ship in harbor is safe -- but that is not what ships are built 
> > for.  John A. Shedd, Salt from My Attic, 1928
> >
> > CONFIDENTIALITY NOTE: The information transmitted, including 
> > attachments, is intended only for the person(s) or entity to which it 
> > is addressed and may contain confidential and/or privileged material. 
> > Any review, retransmission, dissemination or other use of, or taking 
> > of any action in reliance upon this information by persons or 
> > entities other than the intended recipient is prohibited. If you 
> > received this in error, please contact the sender and destroy any 
> > copies of this information
>
> --
> Matt Presser, GCFA, ACE
> Enterprise Systems Security Administrator
> Information&  Communication Technologies
> New Mexico State University
> matt () nmsu edu
> 575-646-2389

--
Matt Presser, GCFA, ACE
Enterprise Systems Security Administrator
Information&  Communication Technologies
New Mexico State University
matt () nmsu edu
575-646-2389