Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
FTK image mounting question & Mobile Devices
Accessdata is still looking for the answer to this question – can FTK mount non-Windows (hfs+, UFS, ext2, ext3, and mobile device) filesystems as Windows partitions?
The situation. FTK has a number of distinct advantages. One new one is the ability to remotely acquire images (one system at a time) in their workstation product. I had used EnCase and their VFS product to mount forensic images and run Identity Finder scans from Windows. In EnCase Workstation 4.x (and 5.x, I think), VFS would mount the image as a drive, but would only work for FAT and NTFS filesystems. I complained to Guidance Software throughout that time. They represented hfs+, UFS, ext2, ext3 internally as a generic hierarchical filesystem, and you could read/copy individual files, why couldn't they export them. In version 6 of EnCase, they did. But VFS also became unreliable. I would have to attempt the mount more than once, sometimes, I would even have to reboot to get VFS to work. Eventually, I got advice on the Guidance Software support forums … use FTK Imager to mount the forensic image, it is rock solid. This wasn't from a Guidance Software employee, of course, but it did simplify my life, until Flashback.
FTK Imager didn't handle non-Windows file system. Accessdata suggested that I use FTK instead of FTK imager for the mount, but didn't have a list of filesystems that it would mount. I am not yet on their latest version (4), so I wanted to know about where they are now. Also, we are having more incidents involving mobile devices (mainly iPhone, and iPad, with a little android). We were looking at purchasing Mobile Phone Examiner (MPE+) from Accessdata, but wanted to mount the files from a phone to a Windows, and run Identity Finder to determine data at risk.
Anyone have any information on mounting non-Windows file systems as a Windows file system? Does it work with mobile device persistent memory images from mobile devices?
- - - -
Jim Moore, CISSP, IAM, ITIL Foundations
Senior Information Security Forensic Investigator
Rochester Institute of Technology
151 Lomb Memorial Drive
Rochester, NY 14623-5603
(585) 475-5406 (office)
(585) 255-0809 (Cell - Incident Reporting & Emergencies)
(585) 475-7920 (fax)
If you consciously try to thwart opponents, you are already late. Miyamoto Musashi, Japanese philosopher/samurai, 1645
A ship in harbor is safe -- but that is not what ships are built for. John A. Shedd, Salt from My Attic, 1928
CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information