In Forensic, to investigate
a hard drive or disks we always make a forensic image. A Forensic Image is a
forensically sound and complete copy of a hard drive or other digital media,
generally intended for use as evidence. Copies include unallocated space, slack
space, and boot record. Many computer
forensic programs, especially the all-in-one suites, use their own file formats
to store information. These images are stored in a format of RAW file or AFF or
E01.
RAW Image Format: This format is a RAW bit-by-bit
copy of the original. It is often accompanied by Meta data stored in separate
formats. This Image Format is most common used and is read by every Forensic
tool in the industry.
Once the RAW image is
created, it can't be read unless it is mounted by a tool. Mount is the process
that will take the raw logical image and mount it onto a specified directory of
choice to be able to examine the contents of that image. The image has to
include be a recognizable file system as a partition. This makes invocation of
the command interesting as the raw image is a physical disk image and not a
specific partition of a file system.
Mount an image for a
read-only view that leverages to see the content of the image exactly as the
user saw it on the original drive.
There are various methods to
mount a RAW file. But before we learn how to mount our RAW files, just have
look on your my computer so that you can have a idea about how many drives you
have before mounting a RAW file. For instance, following is the image of my
computer of my PC:
Now, Let us have a look on
these methods :
Forensic Tool Kit Imager
FTK Imager (version - 3.4.2)
is tool introduced by Access Data which is used to preview data. It is also an
imaging tool that lets us acquire in a forensically sound way. FTK helps us to create
forensic images, Mount an image for a read-only view, Create hashes of files,
etc and right now we will focus on its Mount function. To mount a RAW image
file via FTK, first of all download FTK from --> http://accessdata.com/product-download/digital-forensics/ftk-imager-version-3.4.2
Now that FTK is downloaded
and installed, open it and click on Files on the menu bar. A drop down
menu will appear, from this menu click on Image Mounting.
A dialogue box will
open now. Give the path of RAW file in Image File option and click on Mount
button.
Once you click on
Mount button your image will be mounted and you can see result in Mapped images:
OSFMount
OSFMount (version -
1.5.1015) is software by PassMark Software’s. It helps you mount your image
files even your hard disk image file in windows with a drive letter. You can
then analyze the disk image files further. For your original files not to be
altered, the image files are mounted as read only by default. Download this
software from --> http://www.osforensics.com/tools/mount-disk-images.html
Open OSFMount after
the instalation is completed open it:
Go to File menu and
select Mount new virtual disk option.
Dialogues will open;
here give the path of your image file under the heading Image file and click on
OK.
You can see in the
following image that your RAW image will be mounted as a result:
Mount Image Pro
Get Data is a
software development company that has launched Mount Image Pro (version - 6).
It is a computer forensic tool which enables us to mount an image for forensic
purpose. You can download this software from http://www.mountimage.com/
Open the software
after its installation.
Go to File menu and
click on Mount Image File.
A dialogue box will
open and select your image file from it.
And then another dialogue
box will open informing you with all the details. Click on OK.
It will further show
you the progress in another dialogue box.
And as the outcome
you can see that your image file will mount as shown in following image:
Now, as i had asked
you to check you’re my computer before mounting the image, similarly, you can
again check my computer and you will an extra drive as shown below:
0 comments:
Post a Comment