FTK image mounting question & Mobile Devices

["James H. Moore" <jhmiso () RIT EDU>]

Accessdata is still looking for the answer to this question – can FTK mount non-Windows (hfs+, UFS, ext2, ext3, and 
mobile device) filesystems as Windows partitions?

The situation.  FTK has a number of distinct advantages.  One new one is the ability to remotely acquire images (one 
system at a time) in their workstation product.  I had used EnCase and their VFS product to mount forensic images and 
run Identity Finder scans from Windows.  In EnCase Workstation 4.x (and 5.x, I think), VFS would mount the image as a 
drive, but would only work for FAT and NTFS filesystems.  I complained to Guidance Software  throughout that time.  
They represented hfs+, UFS, ext2, ext3 internally as a generic hierarchical filesystem, and you could read/copy 
individual files, why couldn't they export them.  In version 6 of EnCase, they did.  But VFS also became unreliable.  I 
would have to attempt the mount more than once, sometimes, I would even have to reboot to get VFS to work.  Eventually, 
I got advice on the Guidance Software support forums … use FTK Imager to mount the forensic image, it is rock solid.  
This wasn't from a Guidance Software employee, of course, but it did simplify my life, until Flashback.

FTK Imager didn't handle non-Windows file system.  Accessdata suggested that I use FTK instead of FTK imager for the 
mount, but didn't have a list of filesystems that it would mount.  I am not yet on their latest version (4), so I 
wanted to know about where they are now.  Also, we are having more incidents involving mobile devices (mainly iPhone, 
and iPad, with a little android).  We were looking at purchasing Mobile Phone Examiner (MPE+) from Accessdata, but 
wanted to mount the files from a phone to a Windows, and run Identity Finder to determine data at risk.

Anyone have any information on mounting non-Windows file systems as a Windows file system?  Does it work with mobile 
device persistent memory images from mobile devices?


Jim
- - - -
Jim Moore, CISSP, IAM, ITIL Foundations
Senior Information Security Forensic Investigator
Rochester Institute of Technology
151 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 255-0809 (Cell - Incident Reporting & Emergencies)
(585) 475-7920 (fax)


If you consciously try to thwart opponents, you are already late.  Miyamoto Musashi, Japanese philosopher/samurai, 1645

A ship in harbor is safe -- but that is not what ships are built for.  John A. Shedd, Salt from My Attic, 1928

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity 
to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other 
than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any 
copies of this information