I wasn't quite sure where to post this…
I'm using FTK and trying to mount an EXT3 partition containing a dd image of an NTFS partition. I can mount the physical disk as evidence and can search the dd image just fine. What I was wondering is if anyone knows of a way to mount the dd image so I can get a filelisting rather than viewing it as raw data.
Any help is appreciated.
Hogfly
Have you added the DD image as evidence in FTK ?
Neil Beattie
If you use FTK Imager you can 'mount' the dd image in a file list view. You can browse folders and files in an explorer type view.
Nick
ok, excuse my ignorance of commercial tools, but how exactly does one mount a dd image on an ext3 partition as evidence when FTK only allows me to mount the disk containing the ext3 partition as the 'physical disk' since windows can't natively mount a logical partition that is ext3? I can see the dd image and view the contents in hex or ascii, but can't do a file listing.
Thanks.
Xtract the DD image files from the FTK case (to a folder on your local machine). Then import this as evidence into this or another case……. Should work a treat. FTK handles DD images no problem.
Andy
I have experimented in the past with booting into Helix then using DD to create an image on an attached USB drive that has an ext2 partition.
Then using a utility called ext2fs, I was able to mount the drive in Windows. I didn't find the performance to be adequate, so I copied the DD file onto the local hard disk and worked with the image from there.
Doing a quick search on the net, there are a number of utilities that will allow you to mount an ext3 partition in Windows. For example, http//
Don't know how well they work as I've only used ext2fs but worth looking into.
Neil
Andy,
That's what I was considering. Using that method requires a write blocker, does it not?
nbeattie mount-everything was reccommended to me for just that purpose, except it's not forensically sound.
Thanks for the help.
Dont excuse your ignorance, I didnt read your question properly, Andy helped clarify though.
Cheers
Nick
I'm intrigued as to what you consider to be "not forensically sound" ?
hogfly, if you have accessed the drive as a physical device in FTK without a write blocker then it has not been handled in a forensically sound manner, i.e. you have accessed the original data. So it is a bit late to worry about a write blocker; however the DD image you have on the suspect drive is in effect a 'container' with a file system locked within. By making and using copies, you will always have the original DD files - untouched…. well almost, as you will have possibly altered the original DD files (at least their attributes - last accessed) by mounting them in FTK as a physical device without a write blocker.
Andy
P.S. If you need a write blocker you can try Data Duplication http//