Re: FTK image mounting question & Mobile Devices

[Vern Morgan <vernmorgan () WEBER EDU>]

Believe you got the wrong James...
 
Vern Morgan
IT Policy and Planning Administrator
Weber State University
 
Tel:  801-626-7201
email:  vernmorgan () weber edu


> > > Matt Presser <matt () NMSU EDU> 5/4/2012 2:38 PM >>>
James,

In ftk4 I've successfully mounted as a logical RO filesystem ext
partitions from a linux box and hfs+ partitions from an ipad image and
from an osx box. Not sure what you mean about mobile device persistent
memory images...can you explain that to me?

FWIW

On 5/2/12 12:17 PM, James H. Moore wrote: 


Accessdata is still looking for the answer to this question – can FTK
mount non-Windows (hfs+, UFS, ext2, ext3, and mobile device) filesystems
as Windows partitions?

The situation.  FTK has a number of distinct advantages.  One new one
is the ability to remotely acquire images (one system at a time) in
their workstation product.  I had used EnCase and their VFS product to
mount forensic images and run Identity Finder scans from Windows.  In
EnCase Workstation 4.x (and 5.x, I think), VFS would mount the image as
a drive, but would only work for FAT and NTFS filesystems.  I complained
to Guidance Software  throughout that time.  They represented hfs+, UFS,
ext2, ext3 internally as a generic hierarchical filesystem, and you
could read/copy individual files, why couldn't they export them.  In
version 6 of EnCase, they did.  But VFS also became unreliable.  I would
have to attempt the mount more than once, sometimes, I would even have
to reboot to get VFS to work.  Eventually, I got advice on the Guidance
Software support forums … use FTK Imager to mount the forensic image, it
is rock solid.  This wasn't from a Guidance Software employee, of
course, but it did simplify my life, until Flashback.

FTK Imager didn't handle non-Windows file system.  Accessdata suggested
that I use FTK instead of FTK imager for the mount, but didn't have a
list of filesystems that it would mount.  I am not yet on their latest
version (4), so I wanted to know about where they are now.  Also, we are
having more incidents involving mobile devices (mainly iPhone, and iPad,
with a little android).  We were looking at purchasing Mobile Phone
Examiner (MPE+) from Accessdata, but wanted to mount the files from a
phone to a Windows, and run Identity Finder to determine data at risk. 


Anyone have any information on mounting non-Windows file systems as a
Windows file system?  Does it work with mobile device persistent memory
images from mobile devices? 


Jim
- - - -
Jim Moore, CISSP, IAM, ITIL Foundations
Senior Information Security Forensic Investigator
Rochester Institute of Technology
151 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 255-0809 (Cell - Incident Reporting & Emergencies)
(585) 475-7920 (fax)


If you consciously try to thwart opponents, you are already late. 
Miyamoto Musashi, Japanese philosopher/samurai, 1645

A ship in harbor is safe -- but that is not what ships are built for. 
John A. Shedd, Salt from My Attic, 1928

CONFIDENTIALITY NOTE: The information transmitted, including
attachments, is intended only for the person(s) or entity to which it is
addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon this information by persons or entities other
than the intended recipient is prohibited. If you received this in
error, please contact the sender and destroy any copies of this
information


-- 
Matt Presser, GCFA, ACE
Enterprise Systems Security Administrator
Information & Communication Technologies
New Mexico State Universitymatt@nmsu.edu575-646-2389