Educause Security Discussion mailing list archives
FTK image mounting question & Mobile Devices
From: "James H. Moore" <jhmiso () RIT EDU>
Date: Wed, 2 May 2012 14:17:40 -0400
Accessdata is still looking for the answer to this question – can FTK mount non-Windows (hfs+, UFS, ext2, ext3, and mobile device) filesystems as Windows partitions? The situation. FTK has a number of distinct advantages. One new one is the ability to remotely acquire images (one system at a time) in their workstation product. I had used EnCase and their VFS product to mount forensic images and run Identity Finder scans from Windows. In EnCase Workstation 4.x (and 5.x, I think), VFS would mount the image as a drive, but would only work for FAT and NTFS filesystems. I complained to Guidance Software throughout that time. They represented hfs+, UFS, ext2, ext3 internally as a generic hierarchical filesystem, and you could read/copy individual files, why couldn't they export them. In version 6 of EnCase, they did. But VFS also became unreliable. I would have to attempt the mount more than once, sometimes, I would even have to reboot to get VFS to work. Eventually, I got advice on the Guidance Software support forums … use FTK Imager to mount the forensic image, it is rock solid. This wasn't from a Guidance Software employee, of course, but it did simplify my life, until Flashback. FTK Imager didn't handle non-Windows file system. Accessdata suggested that I use FTK instead of FTK imager for the mount, but didn't have a list of filesystems that it would mount. I am not yet on their latest version (4), so I wanted to know about where they are now. Also, we are having more incidents involving mobile devices (mainly iPhone, and iPad, with a little android). We were looking at purchasing Mobile Phone Examiner (MPE+) from Accessdata, but wanted to mount the files from a phone to a Windows, and run Identity Finder to determine data at risk. Anyone have any information on mounting non-Windows file systems as a Windows file system? Does it work with mobile device persistent memory images from mobile devices? Jim - - - - Jim Moore, CISSP, IAM, ITIL Foundations Senior Information Security Forensic Investigator Rochester Institute of Technology 151 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 255-0809 (Cell - Incident Reporting & Emergencies) (585) 475-7920 (fax) If you consciously try to thwart opponents, you are already late. Miyamoto Musashi, Japanese philosopher/samurai, 1645 A ship in harbor is safe -- but that is not what ships are built for. John A. Shedd, Salt from My Attic, 1928 CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information
Current thread:
- FTK image mounting question & Mobile Devices James H. Moore (May 02)
- Re: FTK image mounting question & Mobile Devices Matt Presser (May 04)
- Re: FTK image mounting question & Mobile Devices Vern Morgan (May 04)
- Re: FTK image mounting question & Mobile Devices Matt Presser (May 04)
- Re: FTK image mounting question & Mobile Devices Vern Morgan (May 04)
- Re: FTK image mounting question & Mobile Devices Matt Presser (May 04)